AIDA64 Extreme

 
Version  AIDA64 v6.20.5353 Beta
Benchmark Module  4.5.816.8-x64
Homepage  http://www.aida64.com/
Report Type  Report Wizard
Computer  DESKTOP-UT5JEJD
Generator  redblue
Operating System  Microsoft Windows 10 Home 10.0.18363.720 (Win10 19H2 [1909] November 2019 Update)
Date  2020-03-18
Time  13:28


Summary

 
Computer:
Computer Type  ACPI x64-based PC
Operating System  Microsoft Windows 10 Home
OS Service Pack  -
Internet Explorer  11.719.18362.0
Edge  44.18362.449.0
DirectX  DirectX 12.0
Computer Name  DESKTOP-UT5JEJD
User Name  redblue
Logon Domain  DESKTOP-UT5JEJD
Date / Time  2020-03-18 / 13:28
 
Motherboard:
CPU Type  QuadCore Intel Core i7-1065G7, 3100 MHz (31 x 100)
Motherboard Name  LG 17Z90N-V.AA76C
Motherboard Chipset  Intel Ice Point-LP, Intel Ice Lake-U
System Memory  16096 MB (LPDDR4 SDRAM)
BIOS Type  Unknown (12/26/2019)
 
Display:
Video Adapter  Intel(R) Iris(R) Plus Graphics (1 GB)
Video Adapter  Intel(R) Iris(R) Plus Graphics (1 GB)
Video Adapter  Intel(R) Iris(R) Plus Graphics (1 GB)
Video Adapter  Intel(R) Iris(R) Plus Graphics (1 GB)
Video Adapter  Intel(R) Iris(R) Plus Graphics (1 GB)
Video Adapter  Intel(R) Iris(R) Plus Graphics (1 GB)
Video Adapter  Intel(R) Iris(R) Plus Graphics (1 GB)
Video Adapter  Intel(R) Iris(R) Plus Graphics (1 GB)
Monitor  LG Philips LP170WQ1-SPA1 [17" LCD]
 
Multimedia:
Audio Adapter  Conexant CX8200 @ Intel Ice Point-LP PCH - cAVS (Audio, Voice, Speech)
Audio Adapter  Intel Ice Point HDMI @ Intel Ice Point-LP PCH - cAVS (Audio, Voice, Speech)
 
Storage:
Storage Controller  Microsoft Storage Spaces Controller
Storage Controller  Standard NVM Express Controller
Storage Controller  Standard NVM Express Controller
Disk Drive  SAMSUNG MZVLB512HAJQ-00000 (512 GB, PCI-E 3.0 x4)
Disk Drive  XPG GAMMIX S11L (476 GB)
SMART Hard Disks Status  OK
 
Partitions:
C: (NTFS)  455.0 GB (396.1 GB free)
D: (NTFS)  476.9 GB (476.8 GB free)
Total Size  932.0 GB (872.9 GB free)
 
Input:
Keyboard  Standard PS/2 Keyboard
Mouse  HID-compliant mouse
 
Network:
Primary IP Address  100.79.143.17
Primary MAC Address  80-32-53-79-E3-B6
Network Adapter  Intel(R) Wi-Fi 6 AX201 160MHz (100.79.143.17)
Network Adapter  Microsoft Wi-Fi Direct Virtual Adapter #2
Network Adapter  Microsoft Wi-Fi Direct Virtual Adapter
Network Adapter  TAP-Windows Adapter V9
 
Peripherals:
Printer  Fax
Printer  Microsoft Print to PDF
Printer  Microsoft XPS Document Writer
USB3 Controller  Intel Ice Point-LP PCH - USB 3.1 xHCI Host Controller
USB Device  Intel(R) Wireless Bluetooth(R)
USB Device  LG Camera
USB Device  USB Composite Device
Battery  Microsoft AC Adapter
Battery  Microsoft ACPI-Compliant Control Method Battery
 
DMI:
DMI BIOS Vendor  Phoenix Technologies Ltd.
DMI BIOS Version  C2ZE0135 X64
DMI System Manufacturer  LG Electronics
DMI System Product  17Z90N-V.AA76C
DMI System Version  0.1
DMI System Serial Number  002NZCG018731
DMI System UUID  DEEF16D7-F1CAD110-8D7143A5-6257B1F9
DMI Motherboard Manufacturer  LG Electronics
DMI Motherboard Product  17Z90N
DMI Motherboard Version  FAB1
DMI Motherboard Serial Number  C26748C0CBC711F8C75EFDC90633ADA617Z90N-V.AA76C
DMI Chassis Manufacturer  LG Electronics
DMI Chassis Version  0.1
DMI Chassis Serial Number  123-1234-123
DMI Chassis Asset Tag  Asset Tag
DMI Chassis Type  Notebook


Computer Name

 
Type  Class  Computer Name
Computer Comment  Logical  
NetBIOS Name  Logical  DESKTOP-UT5JEJD
DNS Host Name  Logical  DESKTOP-UT5JEJD
DNS Domain Name  Logical  
Fully Qualified DNS Name  Logical  DESKTOP-UT5JEJD
NetBIOS Name  Physical  DESKTOP-UT5JEJD
DNS Host Name  Physical  DESKTOP-UT5JEJD
DNS Domain Name  Physical  
Fully Qualified DNS Name  Physical  DESKTOP-UT5JEJD


DMI

 
[ BIOS ]
 
BIOS Properties:
Vendor  Phoenix Technologies Ltd.
Version  C2ZE0135 X64
Release Date  12/26/2019
Size  10 MB
System BIOS Version  0.1
Boot Devices  Floppy Disk, Hard Disk, CD-ROM
Capabilities  Flash BIOS, Shadow BIOS, Selectable Boot, Network Service Boot, EDD, BBS
Supported Standards  DMI, ACPI, UEFI
Expansion Capabilities  PCI, USB
Virtual Machine  No
 
BIOS Manufacturer:
Company Name  Phoenix Technologies Ltd.
Product Information  http://www.phoenix.com/products
BIOS Upgrades  http://www.aida64.com/goto/?p=biosupdates
 
[ System ]
 
System Properties:
Manufacturer  LG Electronics
Product  17Z90N-V.AA76C
Version  0.1
Serial Number  002NZCG018731
Family  Z Series
Universal Unique ID  DEEF16D7-F1CAD110-8D7143A5-6257B1F9
Universal Unique ID (GUID)  D716EFDE-CAF1-10D1-8D71-43A56257B1F9
Wake-Up Type  Power Switch
 
[ Motherboard ]
 
Motherboard Properties:
Manufacturer  LG Electronics
Product  17Z90N
Version  FAB1
Serial Number  C26748C0CBC711F8C75EFDC90633ADA617Z90N-V.AA76C
Asset Tag  Base Board Asset Tag
 
[ Chassis ]
 
Chassis Properties:
Manufacturer  LG Electronics
Version  0.1
Serial Number  123-1234-123
Asset Tag  Asset Tag
Chassis Type  Notebook
Boot-Up State  Safe
Power Supply State  Safe
 
[ Processors / Intel(R) Core(TM) i7-1065G7 CPU @ 1.30GHz ]
 
Processor Properties:
Manufacturer  Intel(R) Corporation
Version  Intel(R) Core(TM) i7-1065G7 CPU @ 1.30GHz
Serial Number  To Be Filled By O.E.M.
Asset Tag  To Be Filled By O.E.M.
Part Number  To Be Filled By O.E.M.
External Clock  100 MHz
Current Clock  1700 MHz
Type  Central Processor
Voltage  0.7 V
Status  Enabled
Socket Designation  U3E1
HTT / CMP Units  2 / 4
Capabilities  64-bit, Multi-Core, Multiple Hardware Threads, Execute Protection, Enhanced Virtualization, Power/Performance Control
 
CPU Manufacturer:
Company Name  Intel Corporation
Product Information  https://ark.intel.com/content/www/us/en/ark/search.html?q=Intel%20Core%20i7-1065G7
Driver Update  http://www.aida64.com/goto/?p=drvupdates
 
[ Caches / L1 Cache ]
 
Cache Properties:
Type  Data
Status  Enabled
Operational Mode  Write-Back
Associativity  12-way Set-Associative
Maximum Size  0 MB
Installed Size  0 MB
Supported SRAM Type  Synchronous
Current SRAM Type  Synchronous
Error Correction  Parity
Socket Designation  L1 Cache
 
[ Caches / L1 Cache ]
 
Cache Properties:
Type  Instruction
Status  Enabled
Operational Mode  Write-Back
Associativity  8-way Set-Associative
Maximum Size  0 MB
Installed Size  0 MB
Supported SRAM Type  Synchronous
Current SRAM Type  Synchronous
Error Correction  Parity
Socket Designation  L1 Cache
 
[ Caches / L2 Cache ]
 
Cache Properties:
Type  Unified
Status  Enabled
Operational Mode  Write-Back
Associativity  8-way Set-Associative
Maximum Size  0 MB
Installed Size  0 MB
Supported SRAM Type  Synchronous
Current SRAM Type  Synchronous
Error Correction  Single-bit ECC
Socket Designation  L2 Cache
 
[ Caches / L3 Cache ]
 
Cache Properties:
Type  Unified
Status  Enabled
Operational Mode  Write-Back
Associativity  16-way Set-Associative
Maximum Size  0 MB
Installed Size  0 MB
Supported SRAM Type  Synchronous
Current SRAM Type  Synchronous
Error Correction  Multi-bit ECC
Socket Designation  L3 Cache
 
[ Memory Arrays / System Memory ]
 
Memory Array Properties:
Location  Motherboard
Memory Array Function  System Memory
Error Correction  None
Max. Memory Capacity  32 GB
Memory Devices  2
 
[ Memory Devices / ChannelA-DIMM0 ]
 
Memory Device Properties:
Form Factor  SODIMM
Type  DDR4
Type Detail  Synchronous
Size  8 GB
Max. Clock Speed  3200 MT/s
Current Clock Speed  3200 MT/s
Total Width  64-bit
Data Width  64-bit
Ranks  1
Current Voltage  1.200 V
Device Locator  ChannelA-DIMM0
Bank Locator  BANK 0
Manufacturer  SK Hynix
Serial Number  52B677D7
Asset Tag  9876543210
Part Number  HMA81GS6CJR8N-XN
 
[ Memory Devices / ChannelB-DIMM0 ]
 
Memory Device Properties:
Form Factor  SODIMM
Type  DDR4
Type Detail  Synchronous
Size  8 GB
Max. Clock Speed  3200 MT/s
Current Clock Speed  3200 MT/s
Total Width  64-bit
Data Width  64-bit
Ranks  1
Current Voltage  1.200 V
Device Locator  ChannelB-DIMM0
Bank Locator  BANK 2
Manufacturer  Samsung
Serial Number  00000000
Asset Tag  9876543210
Part Number  M471A1G44AB0-CWE
 
[ System Slots / PEG Gen1/Gen2/Gen3 X16 ]
 
System Slot Properties:
Slot Designation  PEG Gen1/Gen2/Gen3 X16
Type  PCI-E
Usage  Available
Data Bus Width  x16
Length  Long
ID  0
 
[ System Slots / PCI-Express 1 X1 ]
 
System Slot Properties:
Slot Designation  PCI-Express 1 X1
Type  PCI-E
Usage  Available
Data Bus Width  x1
Length  Short
ID  1
 
[ System Slots / PCI-Express 2 X1 ]
 
System Slot Properties:
Slot Designation  PCI-Express 2 X1
Type  PCI-E
Usage  Available
Data Bus Width  x1
Length  Short
ID  2
 
[ System Slots / PCI-Express 3 X1 ]
 
System Slot Properties:
Slot Designation  PCI-Express 3 X1
Type  PCI-E
Usage  Available
Data Bus Width  x1
Length  Short
ID  3
 
[ System Slots / PCI-Express 4 X1 ]
 
System Slot Properties:
Slot Designation  PCI-Express 4 X1
Type  PCI-E
Usage  Available
Data Bus Width  x1
Length  Short
ID  4
 
[ System Slots / PCI-Express 5 X4 ]
 
System Slot Properties:
Slot Designation  PCI-Express 5 X4
Type  PCI-E
Usage  Available
Data Bus Width  x4
Length  Short
ID  5
 
[ Port Connectors / Keyboard ]
 
Port Connector Properties:
Port Type  Keyboard Port
Internal Reference Designator  None
Internal Connector Type  None
External Reference Designator  Keyboard
External Connector Type  PS/2
 
[ Port Connectors / Mouse ]
 
Port Connector Properties:
Port Type  Mouse Port
Internal Reference Designator  None
Internal Connector Type  None
External Reference Designator  Mouse
External Connector Type  PS/2
 
[ Port Connectors / COM 1 ]
 
Port Connector Properties:
Port Type  Serial Port 16550A Compatible
Internal Reference Designator  None
External Reference Designator  COM 1
External Connector Type  DB-9 pin male
 
[ Port Connectors / USB3.0 - 1#/USB2.0 - 1# ]
 
Port Connector Properties:
Port Type  USB
Internal Reference Designator  None
Internal Connector Type  None
External Reference Designator  USB3.0 - 1#/USB2.0 - 1#
External Connector Type  USB
 
[ Port Connectors / USB3.0 - 2#/USB2.0 - 2# ]
 
Port Connector Properties:
Port Type  USB
Internal Reference Designator  None
Internal Connector Type  None
External Reference Designator  USB3.0 - 2#/USB2.0 - 2#
External Connector Type  USB
 
[ Port Connectors / USB3.0 - 3#/USB2.0 - 3# ]
 
Port Connector Properties:
Port Type  USB
Internal Reference Designator  None
Internal Connector Type  None
External Reference Designator  USB3.0 - 3#/USB2.0 - 3#
External Connector Type  USB
 
[ Port Connectors / USB3.0 - 4#/USB2.0 - 4# ]
 
Port Connector Properties:
Port Type  USB
Internal Reference Designator  None
Internal Connector Type  None
External Reference Designator  USB3.0 - 4#/USB2.0 - 4#
External Connector Type  USB
 
[ Port Connectors / USB2.0 - 5# ]
 
Port Connector Properties:
Port Type  USB
Internal Reference Designator  None
Internal Connector Type  None
External Reference Designator  USB2.0 - 5#
External Connector Type  USB
 
[ Port Connectors / USB2.0 - 6# ]
 
Port Connector Properties:
Port Type  USB
Internal Reference Designator  None
Internal Connector Type  None
External Reference Designator  USB2.0 - 6#
External Connector Type  USB
 
[ Port Connectors / USB2.0 - 7# ]
 
Port Connector Properties:
Port Type  USB
Internal Reference Designator  None
Internal Connector Type  None
External Reference Designator  USB2.0 - 7#
External Connector Type  USB
 
[ Port Connectors / USB2.0 - 8# ]
 
Port Connector Properties:
Port Type  USB
Internal Reference Designator  None
Internal Connector Type  None
External Reference Designator  USB2.0 - 8#
External Connector Type  USB
 
[ Port Connectors / Ethernet ]
 
Port Connector Properties:
Port Type  Network Port
Internal Reference Designator  None
Internal Connector Type  None
External Reference Designator  Ethernet
External Connector Type  RJ-45
 
[ Port Connectors / None ]
 
Port Connector Properties:
Port Type  SATA
Internal Reference Designator  SATA Port 1 J6J1
Internal Connector Type  SATA/SAS Plug Receptacle
External Reference Designator  None
External Connector Type  None
 
[ Port Connectors / None ]
 
Port Connector Properties:
Port Type  SATA
Internal Reference Designator  SATA Port 2 J5C4
Internal Connector Type  SATA/SAS Plug Receptacle
External Reference Designator  None
External Connector Type  None
 
[ Port Connectors / None ]
 
Port Connector Properties:
Port Type  SATA
Internal Reference Designator  SATA Port 3(ODD) J5J4
Internal Connector Type  SATA/SAS Plug Receptacle
External Reference Designator  None
External Connector Type  None
 
[ Port Connectors / None ]
 
Port Connector Properties:
Port Type  SATA
Internal Reference Designator  None
Internal Connector Type  None
External Reference Designator  None
External Connector Type  SATA/SAS Plug Receptacle
 
[ On-Board Devices / Intel(R) Extreme Graphics 3 Controller ]
 
On-Board Device Properties:
Description  Intel(R) Extreme Graphics 3 Controller
Type  Video
Status  Enabled
 
[ On-Board Devices / Intel(R) Azalia Audio Device ]
 
On-Board Device Properties:
Description  Intel(R) Azalia Audio Device
Type  Sound
Status  Enabled
 
[ Batteries / Smart Battery ]
 
Battery Properties:
Device Name  Smart Battery
Manufacturer  Intel Corp.
Manufacture Date  2008
Serial Number  1.0
Location  Rear
Battery Type  Lithium-Ion
SDDS Version  V1.0
 
[ TPM Device ]
 
TPM Device:
Vendor ID  INTC
TPM Version  2.0
Description  TPM 2.0, ManufacturerID: INTC, Firmware Version: 0x01F40005.0x0
Family Configurable via Firmware Update  Not Supported
Family Configurable via Platform Software Support  Not Supported
Family Configurable via OEM Proprietary Mechanism  Not Supported
 
[ Intel AMT ]
 
Intel AMT Properties:
Intel AMT  Not Supported
IDE Redirection  Disabled
SOL  Disabled
AMT Network Interface  Disabled
 
[ Intel vPro ]
 
Intel vPro Properties:
MEBX Version  13.0.0.4
ME Firmware Version  13.0.21.1319
PCH PCI Bus / Device / Function  0 / 31 / 0
PCH PCI Device ID  8086-3482
Wired NIC PCI Bus / Device / Function  0 / 31 / 6
Wired NIC PCI Device ID  8086-FFFF
AMT  Not Supported
Anti-Theft  Not Supported
Anti-Theft PBA for Recovery  Not Supported
Anti-Theft WWAN  Not Supported
BIOS TXT  Not Supported
BIOS VT-d  Supported
BIOS VT-x  Supported
CPU VT-x  Supported, Enabled
CPU TXT  Not Supported
KVM  Not Supported
Local Wakeup Timer  Not Supported
Management Engine  Enabled
Small Business Advantage  Not Supported
Standard Manageability  Not Supported
 
[ Miscellaneous ]
 
Miscellaneous:
OEM String  This is the Intel Kabylake CRB Platform


Overclock

 
CPU Properties:
CPU Type  QuadCore Intel Core i7-1065G7
CPU Alias  Ice Lake-U
CPU Stepping  D1
Engineering Sample  No
CPUID CPU Name  Intel(R) Core(TM) i7-1065G7 CPU @ 1.30GHz
CPUID Revision  000706E5h
CPU VID  0.7274 V
 
CPU Speed:
CPU Clock  3392.5 MHz (original: 1300 MHz, overclock: 160%)
CPU Multiplier  34x
CPU FSB  99.8 MHz (original: 100 MHz)
North Bridge Clock  997.8 MHz
System Agent Clock  798.2 MHz
Memory Bus  798.2 MHz
DRAM:FSB Ratio  24:3
 
CPU Cache:
L1 Code Cache  32 KB per core
L1 Data Cache  48 KB per core
L2 Cache  512 KB per core (On-Die, ECC, Full-Speed)
L3 Cache  8 MB (On-Die, ECC, Full-Speed)
 
Motherboard Properties:
Motherboard ID  <DMI>
Motherboard Name  LG 17Z90N-V.AA76C
 
Chipset Properties:
Motherboard Chipset  Intel Ice Point-LP, Intel Ice Lake-U
Memory Timings  22-22-22-52 (CL-RCD-RP-RAS)
Command Rate (CR)  1T
 
BIOS Properties:
System BIOS Date  12/26/2019
Video BIOS Date  Unknown
DMI BIOS Version  C2ZE0135 X64
 
Graphics Processor Properties:
Video Adapter  Intel Ice Lake-U GT2 64EU - Integrated Graphics Controller
GPU Code Name  Ice Lake-U GT2 64EU (Integrated 8086 / 8A52, Rev 07)
GPU Clock  300 MHz


Power Management

 
Power Management Properties:
Current Power Source  Battery
Battery Status  85 % (High Level)
Full Battery Lifetime  Unknown
Remaining Battery Lifetime  30270 sec (8 hours, 24 min, 30 sec)
 
Battery Properties:
Device Name  LGC-LGC
Manufacturer  LG
Serial Number  3469
Unique ID  3469 LG LGC-LGC
Battery Type  Rechargeable Li-Ion
Designed Capacity  80000 mWh
Fully Charged Capacity  74900 mWh
Current Capacity  64000 mWh (85 %)
Battery Voltage  8.403 V
Charge-Discharge Cycle Count  1
Wear Level  6 %
Power State  Discharging
Discharge Rate  6150 mW


Portable Computer

 
Centrino (Carmel) Platform Compliancy:
CPU: Intel Pentium M (Banias/Dothan)  No (Intel Core i7-1065G7)
Chipset: Intel i855GM/PM  No (Intel Ice Point-LP, Intel Ice Lake-U)
WLAN: Intel PRO/Wireless  No
System: Centrino Compliant  No
 
Centrino (Sonoma) Platform Compliancy:
CPU: Intel Pentium M (Dothan)  No (Intel Core i7-1065G7)
Chipset: Intel i915GM/PM  No (Intel Ice Point-LP, Intel Ice Lake-U)
WLAN: Intel PRO/Wireless 2200/2915  No
System: Centrino Compliant  No
 
Centrino (Napa) Platform Compliancy:
CPU: Intel Core (Yonah) / Core 2 (Merom)  No (Intel Core i7-1065G7)
Chipset: Intel i945GM/PM  No (Intel Ice Point-LP, Intel Ice Lake-U)
WLAN: Intel PRO/Wireless 3945/3965  No
System: Centrino Compliant  No
 
Centrino (Santa Rosa) Platform Compliancy:
CPU: Intel Core 2 (Merom/Penryn)  No (Intel Core i7-1065G7)
Chipset: Intel GM965/PM965  No (Intel Ice Point-LP, Intel Ice Lake-U)
WLAN: Intel Wireless WiFi Link 4965  No
System: Centrino Compliant  No
 
Centrino 2 (Montevina) Platform Compliancy:
CPU: Intel Core 2 (Penryn)  No (Intel Core i7-1065G7)
Chipset: Mobile Intel 4 Series  No (Intel Ice Point-LP, Intel Ice Lake-U)
WLAN: Intel WiFi Link 5000 Series  No
System: Centrino 2 Compliant  No
 
Centrino (Calpella) Platform Compliancy:
CPU: Intel Core i3/i5/i7 (Arrandale/Clarksfield)  No (Intel Core i7-1065G7)
Chipset: Mobile Intel 5 Series  No (Intel Ice Point-LP, Intel Ice Lake-U)
WLAN: Intel Centrino Advanced-N / Ultimate-N / Wireless-N  No
System: Centrino Compliant  No
 
Centrino (Huron River) Platform Compliancy:
CPU: Intel Core i3/i5/i7 (Sandy Bridge-MB)  No (Intel Core i7-1065G7)
Chipset: Mobile Intel 6 Series  No (Intel Ice Point-LP, Intel Ice Lake-U)
WLAN: Intel Centrino Advanced-N / Ultimate-N / Wireless-N  No
System: Centrino Compliant  No
 
Centrino (Chief River) Platform Compliancy:
CPU: Intel Core i3/i5/i7 (Ivy Bridge-MB)  No (Intel Core i7-1065G7)
Chipset: Mobile Intel 7 Series  No (Intel Ice Point-LP, Intel Ice Lake-U)
WLAN: Intel Centrino Advanced-N / Ultimate-N / Wireless-N  No
System: Centrino Compliant  No
 
Centrino (Shark Bay-MB) Platform Compliancy:
CPU: Intel Core i3/i5/i7 (Haswell-MB)  No (Intel Core i7-1065G7)
Chipset: Mobile Intel 8/9 Series  No (Intel Ice Point-LP, Intel Ice Lake-U)
WLAN: Intel Centrino Advanced-N / Ultimate-N / Wireless-N  No
System: Centrino Compliant  No


Sensor

 
Sensor Properties:
Sensor Type  CPU, HDD, ACPI, SNB
 
Temperatures:
CPU  32 °C
CPU Package  56 °C
CPU IA Cores  56 °C
CPU GT Cores  55 °C
CPU #1 / Core #1  54 °C
CPU #1 / Core #2  52 °C
CPU #1 / Core #3  55 °C
CPU #1 / Core #4  51 °C
SAMSUNG MZVLB512HAJQ-00000  32 °C / 37 °C
XPG GAMMIX S11L  29 °C
 
Voltage Values:
CPU Core  0.727 V
CPU VID  0.727 V
Battery  8.351 V
 
Power Values:
CPU Package  0.87 W
CPU IA Cores  0.14 W
CPU GT Cores  0.02 W
CPU Uncore  0.70 W
Battery Charge Rate  -12.99 W


CPU

 
CPU Properties:
CPU Type  QuadCore Intel Core i7-1065G7, 3100 MHz (31 x 100)
CPU Alias  Ice Lake-U
CPU Stepping  D1
Instruction Set  x86, x86-64, MMX, SSE, SSE2, SSE3, SSSE3, SSE4.1, SSE4.2, AVX, AVX2, AVX-512, FMA, AES, SHA
Original Clock  1300 MHz
Min / Max CPU Multiplier  4x / 15x
Engineering Sample  No
L1 Code Cache  32 KB per core
L1 Data Cache  48 KB per core
L2 Cache  512 KB per core (On-Die, ECC, Full-Speed)
L3 Cache  8 MB (On-Die, ECC, Full-Speed)
 
CPU Physical Info:
Package Type  1526 Ball BGA
Package Size  50 mm x 25 mm
Process Technology  10 nm, CMOS, Cu, High-K + Metal Gate
Die Size  122 mm2
PCH: Die Size  54 mm2
Typical Power  15 W
 
CPU Manufacturer:
Company Name  Intel Corporation
Product Information  https://ark.intel.com/content/www/us/en/ark/search.html?q=Intel%20Core%20i7-1065G7
Driver Update  http://www.aida64.com/goto/?p=drvupdates
 
Multi CPU:
CPU #1  Intel(R) Core(TM) i7-1065G7 CPU @ 1.30GHz, 1498 MHz
CPU #2  Intel(R) Core(TM) i7-1065G7 CPU @ 1.30GHz, 1498 MHz
CPU #3  Intel(R) Core(TM) i7-1065G7 CPU @ 1.30GHz, 1498 MHz
CPU #4  Intel(R) Core(TM) i7-1065G7 CPU @ 1.30GHz, 1498 MHz
CPU #5  Intel(R) Core(TM) i7-1065G7 CPU @ 1.30GHz, 1498 MHz
CPU #6  Intel(R) Core(TM) i7-1065G7 CPU @ 1.30GHz, 1498 MHz
CPU #7  Intel(R) Core(TM) i7-1065G7 CPU @ 1.30GHz, 1498 MHz
CPU #8  Intel(R) Core(TM) i7-1065G7 CPU @ 1.30GHz, 1498 MHz
 
CPU Utilization:
CPU #1 / Core #1 / SMT Unit #1  0%
CPU #1 / Core #1 / SMT Unit #2  0%
CPU #1 / Core #2 / SMT Unit #1  0%
CPU #1 / Core #2 / SMT Unit #2  0%
CPU #1 / Core #3 / SMT Unit #1  0%
CPU #1 / Core #3 / SMT Unit #2  0%
CPU #1 / Core #4 / SMT Unit #1  0%
CPU #1 / Core #4 / SMT Unit #2  0%


CPUID

 
CPUID Properties:
CPUID Manufacturer  GenuineIntel
CPUID CPU Name  Intel(R) Core(TM) i7-1065G7 CPU @ 1.30GHz
CPUID Revision  000706E5h
IA Brand ID  00h (Unknown)
Platform ID  43h / MC 80h (FCBGA1526)
Microcode Update Revision  56h
SMT / CMP Units  2 / 4
Tjmax Temperature  100 °C (212 °F)
CPU Thermal Design Power (TDP)  15 W
CPU Thermal Design Current (TDC)  101 A
CPU Max Power Limit  Unlimited Power / Unlimited Time
CPU Power Limit 1 (Long Duration)  15 W / 28.00 sec (Unlocked)
CPU Power Limit 2 (Short Duration)  46 W / 2.44 ms (Unlocked)
Max Turbo Boost Multipliers  1C: 39x, 2C: 38x, 3C: 35x, 4C: 35x
 
Instruction Set:
64-bit x86 Extension (AMD64, Intel64)  Supported
AMD 3DNow!  Not Supported
AMD 3DNow! Professional  Not Supported
AMD 3DNowPrefetch  Supported
AMD Enhanced 3DNow!  Not Supported
AMD Extended MMX  Not Supported
AMD FMA4  Not Supported
AMD MisAligned SSE  Not Supported
AMD SSE4A  Not Supported
AMD XOP  Not Supported
Cyrix Extended MMX  Not Supported
Enhanced REP MOVSB/STOSB  Supported
Enqueue Stores  Not Supported
Galois Field New Instructions (GFNI)  Supported
Float-16 Conversion Instructions  Supported, Enabled
IA-64  Not Supported
IA AES Extensions  Supported
IA AVX  Supported, Enabled
IA AVX2  Supported, Enabled
IA AVX-512 (AVX512F)  Supported, Enabled
IA AVX-512 4x Fused Multiply-Add Single Precision (AVX512_4FMAPS)  Not Supported
IA AVX-512 4x Neural Network Instructions (AVX512_4VNNIW)  Not Supported
IA AVX-512 52-bit Integer Multiply-Add Instructions (AVX512_IFMA)  Supported, Enabled
IA AVX-512 BF16 (AVX512_BF16)  Not Supported
IA AVX-512 Bit Algorithm (AVX512_BITALG)  Supported, Enabled
IA AVX-512 Byte and Word Instructions (AVX512BW)  Supported, Enabled
IA AVX-512 Conflict Detection Instructions (AVX512CD)  Supported, Enabled
IA AVX-512 Doubleword and Quadword Instructions (AVX512DQ)  Supported, Enabled
IA AVX-512 Exponential and Reciprocal Instructions (AVX512ER)  Not Supported
IA AVX-512 Intersection (AVX512_VP2INTERSECT)  Not Supported
IA AVX-512 Neural Network Instructions (AVX512_VNNI)  Supported, Enabled
IA AVX-512 Prefetch Instructions (AVX512PF)  Not Supported
IA AVX-512 Vector Bit Manipulation Instructions (AVX512_VBMI)  Supported, Enabled
IA AVX-512 Vector Bit Manipulation Instructions 2 (AVX512_VBMI2)  Supported, Enabled
IA AVX-512 Vector Length Extensions (AVX512VL)  Supported, Enabled
IA AVX-512 VPOPCNTDQ  Supported, Enabled
IA BMI1  Supported
IA BMI2  Supported
IA FMA  Supported, Enabled
IA MMX  Supported
IA SHA Extensions  Supported
IA SSE  Supported
IA SSE2  Supported
IA SSE3  Supported
IA Supplemental SSE3  Supported
IA SSE4.1  Supported
IA SSE4.2  Supported
Vector AES (VAES)  Supported, Enabled
VIA Alternate Instruction Set  Not Supported
ADCX / ADOX Instruction  Supported
CLDEMOTE Instruction  Not Supported
CLFLUSH Instruction  Supported
CLFLUSHOPT Instruction  Supported
CLWB Instruction  Not Supported
CLZERO Instruction  Not Supported
CMPXCHG8B Instruction  Supported
CMPXCHG16B Instruction  Supported
Conditional Move Instruction  Supported
Fast Short REP MOV Instruction  Supported
INVPCID Instruction  Supported
LAHF / SAHF Instruction  Supported
LZCNT Instruction  Supported
MCOMMIT Instruction  Not Supported
MONITOR / MWAIT Instruction  Supported
MONITORX / MWAITX Instruction  Not Supported
MOVBE Instruction  Supported
MOVDIR64B Instruction  Not Supported
MOVDIRI Instruction  Not Supported
PCLMULQDQ Instruction  Supported
PCOMMIT Instruction  Not Supported
PCONFIG Instruction  Not Supported
POPCNT Instruction  Supported
PREFETCHWT1 Instruction  Not Supported
PTWRITE Instruction  Not Supported
RDFSBASE / RDGSBASE / WRFSBASE / WRGSBASE Instruction  Supported
RDPRU Instruction  Not Supported
RDRAND Instruction  Supported
RDSEED Instruction  Supported
RDTSCP Instruction  Supported
SKINIT / STGI Instruction  Not Supported
SYSCALL / SYSRET Instruction  Not Supported
SYSENTER / SYSEXIT Instruction  Supported
Trailing Bit Manipulation Instructions  Not Supported
VIA FEMMS Instruction  Not Supported
VPCLMULQDQ Instruction  Supported
WBNOINVD Instruction  Not Supported
 
Security Features:
Advanced Cryptography Engine (ACE)  Not Supported
Advanced Cryptography Engine 2 (ACE2)  Not Supported
Control-flow Enforcement Technology - Indirect Branch Tracking (CET_IBT)  Not Supported
Control-flow Enforcement Technology - Shadow Stack (CET_SS)  Not Supported
Data Execution Prevention (DEP, NX, EDB)  Supported
Enhanced Indirect Branch Restricted Speculation  Supported
Hardware Random Number Generator (RNG)  Not Supported
Hardware Random Number Generator 2 (RNG2)  Not Supported
Indirect Branch Predictor Barrier (IBPB)  Supported
Indirect Branch Restricted Speculation (IBRS)  Supported
L1D Flush  Supported
MD_CLEAR  Supported
Memory Protection Extensions (MPX)  Not Supported
PadLock Hash Engine (PHE)  Not Supported
PadLock Hash Engine 2 (PHE2)  Not Supported
PadLock Montgomery Multiplier (PMM)  Not Supported
PadLock Montgomery Multiplier 2 (PMM2)  Not Supported
Processor Serial Number (PSN)  Not Supported
Protection Keys for User-Mode Pages (PKU)  Supported, Disabled
Read Processor ID (RDPID)  Supported
Rogue Data Cache Load (RDCL)  Not Susceptible
Safer Mode Extensions (SMX)  Not Supported
Secure Memory Encryption (SME)  Not Supported
SGX Launch Configuration (SGX_LC)  Supported
Software Guard Extensions (SGX)  Supported
Single Thread Indirect Branch Predictors (STIBP)  Supported
Speculative Store Bypass Disable (SSBD)  Supported
Supervisor Mode Access Prevention (SMAP)  Supported
Supervisor Mode Execution Protection (SMEP)  Supported
Total Memory Encryption (TME)  Not Supported
User-Mode Instruction Prevention (UMIP)  Supported
 
Power Management Features:
APM Power Reporting  Not Supported
Application Power Management (APM)  Not Supported
Automatic Clock Control  Supported
Configurable TDP (cTDP)  Not Supported
Connected Standby  Not Supported
Core C6 State (CC6)  Not Supported
Digital Thermometer  Supported
Dynamic FSB Frequency Switching  Not Supported
Enhanced Halt State (C1E)  Supported, Enabled
Enhanced SpeedStep Technology (EIST, ESS)  Supported, Enabled
Frequency ID Control  Not Supported
Hardware P-State Control  Not Supported
Hardware Thermal Control (HTC)  Not Supported
LongRun  Not Supported
LongRun Table Interface  Not Supported
Overstress  Not Supported
Package C6 State (PC6)  Not Supported
Parallax  Not Supported
PowerSaver 1.0  Not Supported
PowerSaver 2.0  Not Supported
PowerSaver 3.0  Not Supported
Processor Duty Cycle Control  Supported
Running Average Power Limit (RAPL)  Not Supported
Software Thermal Control  Not Supported
SpeedShift (SST, HWP)  Supported, Enabled (Autonomous Mode)
Temperature Sensing Diode  Not Supported
Thermal Monitor 1  Supported
Thermal Monitor 2  Supported
Thermal Monitor 3  Not Supported
Thermal Monitoring  Not Supported
Thermal Trip  Not Supported
Voltage ID Control  Not Supported
 
Virtualization Features:
AMD Virtual Interrupt Controller (AVIC)  Not Supported
Decode Assists  Not Supported
Encrypted Microcode Patch  Not Supported
Encrypted State (SEV-ES)  Not Supported
Extended Page Table (EPT)  Supported
Flush by ASID  Not Supported
Guest Mode Execute Trap Extension (GMET)  Not Supported
Hypervisor  Not Present
INVEPT Instruction  Supported
INVVPID Instruction  Supported
LBR Virtualization  Not Supported
Memory Bandwidth Enforcement (MBE)  Not Supported
Nested Paging (NPT, RVI)  Not Supported
NRIP Save (NRIPS)  Not Supported
PAUSE Filter Threshold  Not Supported
PAUSE Intercept Filter  Not Supported
Secure Encrypted Virtualization (SEV)  Not Supported
Secure Virtual Machine (SVM, Pacifica)  Not Supported
SVM Lock (SVML)  Not Supported
Virtual Transparent Encryption (VTE)  Not Supported
Virtualized GIF (vGIF)  Not Supported
Virtualized VMLOAD and VMSAVE  Not Supported
Virtual Machine Extensions (VMX, Vanderpool)  Supported
Virtual Processor ID (VPID)  Supported
VMCB Clean Bits  Not Supported
 
CPUID Features:
1 GB Page Size  Supported
36-bit Page Size Extension  Supported
5-Level Paging  Not Supported
64-bit DS Area  Supported
Adaptive Overclocking  Not Supported
Address Region Registers (ARR)  Not Supported
Code and Data Prioritization Technology (CDP)  Not Supported
Core Performance Boost (CPB)  Not Supported
Core Performance Counters  Not Supported
CPL Qualified Debug Store  Supported
Data Breakpoint Extension  Not Supported
Debug Trace Store  Supported
Debugging Extension  Supported
Deprecated FPU CS and FPU DS  Supported
Direct Cache Access  Not Supported
Dynamic Acceleration Technology (IDA)  Not Supported
Dynamic Configurable TDP (DcTDP)  Not Supported
Extended APIC Register Space  Not Supported
Fast Save & Restore  Supported
Hardware Lock Elision (HLE)  Not Supported
Hybrid Boost  Not Supported
Hybrid CPU  Not Supported
Hyper-Threading Technology (HTT)  Supported, Enabled
Instruction Based Sampling  Not Supported
Invariant Time Stamp Counter  Supported
L1 Context ID  Not Supported
L2I Performance Counters  Not Supported
Lightweight Profiling  Not Supported
Local APIC On Chip  Supported
Machine Check Architecture (MCA)  Supported
Machine Check Exception (MCE)  Supported
Memory Configuration Registers (MCR)  Not Supported
Memory Type Range Registers (MTRR)  Supported
Model Specific Registers (MSR)  Supported
NB Performance Counters  Not Supported
Page Attribute Table (PAT)  Supported
Page Global Extension  Supported
Page Size Extension (PSE)  Supported
Pending Break Event (PBE)  Supported
Performance Time Stamp Counter (PTSC)  Not Supported
Physical Address Extension (PAE)  Supported
Platform Quality of Service Enforcement (PQE)  Not Supported
Platform Quality of Service Monitoring (PQM)  Not Supported
Process Context Identifiers (PCID)  Supported
Processor Feedback Interface  Not Supported
Processor Trace (PT)  Supported
Restricted Transactional Memory (RTM)  Not Supported
Self-Snoop  Supported
Time Stamp Counter (TSC)  Supported
Time Stamp Counter Adjust  Supported
Turbo Boost  Supported, Enabled
Turbo Boost Max 3.0  Not Supported
Virtual Mode Extension  Supported
Watchdog Timer  Not Supported
x2APIC  Supported, Disabled
XGETBV / XSETBV OS Enabled  Supported
XSAVE / XRSTOR / XSETBV / XGETBV Extended States  Supported
XSAVEOPT  Supported
 
CPUID Registers (CPU #0):
CPUID 00000000  0000001B-756E6547-6C65746E-49656E69 [GenuineIntel]
CPUID 00000001  000706E5-00100800-7FFAFBBF-BFEBFBFF
CPUID 00000002  00FEFF01-000000F0-00000000-00000000
CPUID 00000003  00000000-00000000-00000000-00000000
CPUID 00000004  1C004121-02C0003F-0000003F-00000000 [SL 00]
CPUID 00000004  1C004122-01C0003F-0000003F-00000000 [SL 01]
CPUID 00000004  1C004143-01C0003F-000003FF-00000000 [SL 02]
CPUID 00000004  1C03C163-03C0003F-00001FFF-00000006 [SL 03]
CPUID 00000005  00000040-00000040-00000003-11121020
CPUID 00000006  0017AFF7-00000002-00000009-00000000
CPUID 00000007  00000000-F2BF27EF-40405F4E-BC000410
CPUID 00000008  00000000-00000000-00000000-00000000
CPUID 00000009  00000000-00000000-00000000-00000000
CPUID 0000000A  08300805-00000000-0000000F-00008604
CPUID 0000000B  00000001-00000002-00000100-00000000 [SL 00]
CPUID 0000000B  00000004-00000008-00000201-00000000 [SL 01]
CPUID 0000000C  00000000-00000000-00000000-00000000
CPUID 0000000D  000002E7-00000A80-00000A88-00000000 [SL 00]
CPUID 0000000D  0000000F-00000A00-00002100-00000000 [SL 01]
CPUID 0000000D  00000100-00000240-00000000-00000000 [SL 02]
CPUID 0000000D  00000040-00000440-00000000-00000000 [SL 05]
CPUID 0000000D  00000200-00000480-00000000-00000000 [SL 06]
CPUID 0000000D  00000400-00000680-00000000-00000000 [SL 07]
CPUID 0000000D  00000080-00000000-00000001-00000000 [SL 08]
CPUID 0000000D  00000008-00000A80-00000000-00000000 [SL 09]
CPUID 0000000D  00000008-00000000-00000001-00000000 [SL 0D]
CPUID 0000000E  00000000-00000000-00000000-00000000
CPUID 0000000F  00000000-00000000-00000000-00000000 [SL 00]
CPUID 0000000F  00000000-00000000-00000000-00000000 [SL 01]
CPUID 00000010  00000000-00000000-00000000-00000000 [SL 00]
CPUID 00000010  00000000-00000000-00000000-00000000 [SL 01]
CPUID 00000011  00000000-00000000-00000000-00000000
CPUID 00000012  00000063-00000001-00000000-00002F1F [SL 00]
CPUID 00000012  000000B6-00000000-000002E7-00000000 [SL 01]
CPUID 00000012  400C0001-00000000-05CC0001-00000000 [SL 02]
CPUID 00000013  00000000-00000000-00000000-00000000
CPUID 00000014  00000001-0000000F-00000007-00000000 [SL 00]
CPUID 00000014  02490002-003F1FFF-00000000-00000000 [SL 01]
CPUID 00000015  00000002-0000004E-0249F000-00000000
CPUID 00000016  000005DC-00000F3C-00000064-00000000
CPUID 00000017  00000000-00000000-00000000-00000000 [SL 00]
CPUID 00000018  00000007-00000000-00000000-00000000 [SL 00]
CPUID 00000018  00000000-00080007-00000001-00004122 [SL 01]
CPUID 00000018  00000000-0010000F-00000001-00004125 [SL 02]
CPUID 00000018  00000000-00040001-00000010-00004024 [SL 03]
CPUID 00000018  00000000-00040006-00000008-00004024 [SL 04]
CPUID 00000018  00000000-00080008-00000001-00004124 [SL 05]
CPUID 00000018  00000000-00080007-00000080-00004043 [SL 06]
CPUID 00000018  00000000-00080009-00000080-00004043 [SL 07]
CPUID 00000019  00000000-00000000-00000000-00000000
CPUID 0000001A  00000000-00000000-00000000-00000000
CPUID 0000001B  00000000-00000000-00000000-00000000
CPUID 80000000  80000008-00000000-00000000-00000000
CPUID 80000001  00000000-00000000-00000121-2C100000
CPUID 80000002  65746E49-2952286C-726F4320-4D542865 [Intel(R) Core(TM]
CPUID 80000003  37692029-3630312D-20374735-20555043 [) i7-1065G7 CPU ]
CPUID 80000004  2E312040-48473033-0000007A-00000000 [@ 1.30GHz]
CPUID 80000005  00000000-00000000-00000000-00000000
CPUID 80000006  00000000-00000000-01006040-00000000
CPUID 80000007  00000000-00000000-00000000-00000100
CPUID 80000008  00003027-00000000-00000000-00000000
 
CPUID Registers (CPU #1 Virtual):
CPUID 00000000  0000001B-756E6547-6C65746E-49656E69 [GenuineIntel]
CPUID 00000001  000706E5-01100800-7FFAFBBF-BFEBFBFF
CPUID 00000002  00FEFF01-000000F0-00000000-00000000
CPUID 00000003  00000000-00000000-00000000-00000000
CPUID 00000004  1C004121-02C0003F-0000003F-00000000 [SL 00]
CPUID 00000004  1C004122-01C0003F-0000003F-00000000 [SL 01]
CPUID 00000004  1C004143-01C0003F-000003FF-00000000 [SL 02]
CPUID 00000004  1C03C163-03C0003F-00001FFF-00000006 [SL 03]
CPUID 00000005  00000040-00000040-00000003-11121020
CPUID 00000006  0017AFF7-00000002-00000009-00000000
CPUID 00000007  00000000-F2BF27EF-40405F4E-BC000410
CPUID 00000008  00000000-00000000-00000000-00000000
CPUID 00000009  00000000-00000000-00000000-00000000
CPUID 0000000A  08300805-00000000-0000000F-00008604
CPUID 0000000B  00000001-00000002-00000100-00000001 [SL 00]
CPUID 0000000B  00000004-00000008-00000201-00000001 [SL 01]
CPUID 0000000C  00000000-00000000-00000000-00000000
CPUID 0000000D  000002E7-00000A80-00000A88-00000000 [SL 00]
CPUID 0000000D  0000000F-00000A00-00002100-00000000 [SL 01]
CPUID 0000000D  00000100-00000240-00000000-00000000 [SL 02]
CPUID 0000000D  00000040-00000440-00000000-00000000 [SL 05]
CPUID 0000000D  00000200-00000480-00000000-00000000 [SL 06]
CPUID 0000000D  00000400-00000680-00000000-00000000 [SL 07]
CPUID 0000000D  00000080-00000000-00000001-00000000 [SL 08]
CPUID 0000000D  00000008-00000A80-00000000-00000000 [SL 09]
CPUID 0000000D  00000008-00000000-00000001-00000000 [SL 0D]
CPUID 0000000E  00000000-00000000-00000000-00000000
CPUID 0000000F  00000000-00000000-00000000-00000000 [SL 00]
CPUID 0000000F  00000000-00000000-00000000-00000000 [SL 01]
CPUID 00000010  00000000-00000000-00000000-00000000 [SL 00]
CPUID 00000010  00000000-00000000-00000000-00000000 [SL 01]
CPUID 00000011  00000000-00000000-00000000-00000000
CPUID 00000012  00000063-00000001-00000000-00002F1F [SL 00]
CPUID 00000012  000000B6-00000000-000002E7-00000000 [SL 01]
CPUID 00000012  400C0001-00000000-05CC0001-00000000 [SL 02]
CPUID 00000013  00000000-00000000-00000000-00000000
CPUID 00000014  00000001-0000000F-00000007-00000000 [SL 00]
CPUID 00000014  02490002-003F1FFF-00000000-00000000 [SL 01]
CPUID 00000015  00000002-0000004E-0249F000-00000000
CPUID 00000016  000005DC-00000F3C-00000064-00000000
CPUID 00000017  00000000-00000000-00000000-00000000 [SL 00]
CPUID 00000018  00000007-00000000-00000000-00000000 [SL 00]
CPUID 00000018  00000000-00080007-00000001-00004122 [SL 01]
CPUID 00000018  00000000-0010000F-00000001-00004125 [SL 02]
CPUID 00000018  00000000-00040001-00000010-00004024 [SL 03]
CPUID 00000018  00000000-00040006-00000008-00004024 [SL 04]
CPUID 00000018  00000000-00080008-00000001-00004124 [SL 05]
CPUID 00000018  00000000-00080007-00000080-00004043 [SL 06]
CPUID 00000018  00000000-00080009-00000080-00004043 [SL 07]
CPUID 00000019  00000000-00000000-00000000-00000000
CPUID 0000001A  00000000-00000000-00000000-00000000
CPUID 0000001B  00000000-00000000-00000000-00000000
CPUID 80000000  80000008-00000000-00000000-00000000
CPUID 80000001  00000000-00000000-00000121-2C100000
CPUID 80000002  65746E49-2952286C-726F4320-4D542865 [Intel(R) Core(TM]
CPUID 80000003  37692029-3630312D-20374735-20555043 [) i7-1065G7 CPU ]
CPUID 80000004  2E312040-48473033-0000007A-00000000 [@ 1.30GHz]
CPUID 80000005  00000000-00000000-00000000-00000000
CPUID 80000006  00000000-00000000-01006040-00000000
CPUID 80000007  00000000-00000000-00000000-00000100
CPUID 80000008  00003027-00000000-00000000-00000000
 
CPUID Registers (CPU #2):
CPUID 00000000  0000001B-756E6547-6C65746E-49656E69 [GenuineIntel]
CPUID 00000001  000706E5-02100800-7FFAFBBF-BFEBFBFF
CPUID 00000002  00FEFF01-000000F0-00000000-00000000
CPUID 00000003  00000000-00000000-00000000-00000000
CPUID 00000004  1C004121-02C0003F-0000003F-00000000 [SL 00]
CPUID 00000004  1C004122-01C0003F-0000003F-00000000 [SL 01]
CPUID 00000004  1C004143-01C0003F-000003FF-00000000 [SL 02]
CPUID 00000004  1C03C163-03C0003F-00001FFF-00000006 [SL 03]
CPUID 00000005  00000040-00000040-00000003-11121020
CPUID 00000006  0017AFF7-00000002-00000009-00000000
CPUID 00000007  00000000-F2BF27EF-40405F4E-BC000410
CPUID 00000008  00000000-00000000-00000000-00000000
CPUID 00000009  00000000-00000000-00000000-00000000
CPUID 0000000A  08300805-00000000-0000000F-00008604
CPUID 0000000B  00000001-00000002-00000100-00000002 [SL 00]
CPUID 0000000B  00000004-00000008-00000201-00000002 [SL 01]
CPUID 0000000C  00000000-00000000-00000000-00000000
CPUID 0000000D  000002E7-00000A80-00000A88-00000000 [SL 00]
CPUID 0000000D  0000000F-00000A00-00002100-00000000 [SL 01]
CPUID 0000000D  00000100-00000240-00000000-00000000 [SL 02]
CPUID 0000000D  00000040-00000440-00000000-00000000 [SL 05]
CPUID 0000000D  00000200-00000480-00000000-00000000 [SL 06]
CPUID 0000000D  00000400-00000680-00000000-00000000 [SL 07]
CPUID 0000000D  00000080-00000000-00000001-00000000 [SL 08]
CPUID 0000000D  00000008-00000A80-00000000-00000000 [SL 09]
CPUID 0000000D  00000008-00000000-00000001-00000000 [SL 0D]
CPUID 0000000E  00000000-00000000-00000000-00000000
CPUID 0000000F  00000000-00000000-00000000-00000000 [SL 00]
CPUID 0000000F  00000000-00000000-00000000-00000000 [SL 01]
CPUID 00000010  00000000-00000000-00000000-00000000 [SL 00]
CPUID 00000010  00000000-00000000-00000000-00000000 [SL 01]
CPUID 00000011  00000000-00000000-00000000-00000000
CPUID 00000012  00000063-00000001-00000000-00002F1F [SL 00]
CPUID 00000012  000000B6-00000000-000002E7-00000000 [SL 01]
CPUID 00000012  400C0001-00000000-05CC0001-00000000 [SL 02]
CPUID 00000013  00000000-00000000-00000000-00000000
CPUID 00000014  00000001-0000000F-00000007-00000000 [SL 00]
CPUID 00000014  02490002-003F1FFF-00000000-00000000 [SL 01]
CPUID 00000015  00000002-0000004E-0249F000-00000000
CPUID 00000016  000005DC-00000F3C-00000064-00000000
CPUID 00000017  00000000-00000000-00000000-00000000 [SL 00]
CPUID 00000018  00000007-00000000-00000000-00000000 [SL 00]
CPUID 00000018  00000000-00080007-00000001-00004122 [SL 01]
CPUID 00000018  00000000-0010000F-00000001-00004125 [SL 02]
CPUID 00000018  00000000-00040001-00000010-00004024 [SL 03]
CPUID 00000018  00000000-00040006-00000008-00004024 [SL 04]
CPUID 00000018  00000000-00080008-00000001-00004124 [SL 05]
CPUID 00000018  00000000-00080007-00000080-00004043 [SL 06]
CPUID 00000018  00000000-00080009-00000080-00004043 [SL 07]
CPUID 00000019  00000000-00000000-00000000-00000000
CPUID 0000001A  00000000-00000000-00000000-00000000
CPUID 0000001B  00000000-00000000-00000000-00000000
CPUID 80000000  80000008-00000000-00000000-00000000
CPUID 80000001  00000000-00000000-00000121-2C100000
CPUID 80000002  65746E49-2952286C-726F4320-4D542865 [Intel(R) Core(TM]
CPUID 80000003  37692029-3630312D-20374735-20555043 [) i7-1065G7 CPU ]
CPUID 80000004  2E312040-48473033-0000007A-00000000 [@ 1.30GHz]
CPUID 80000005  00000000-00000000-00000000-00000000
CPUID 80000006  00000000-00000000-01006040-00000000
CPUID 80000007  00000000-00000000-00000000-00000100
CPUID 80000008  00003027-00000000-00000000-00000000
 
CPUID Registers (CPU #3 Virtual):
CPUID 00000000  0000001B-756E6547-6C65746E-49656E69 [GenuineIntel]
CPUID 00000001  000706E5-03100800-7FFAFBBF-BFEBFBFF
CPUID 00000002  00FEFF01-000000F0-00000000-00000000
CPUID 00000003  00000000-00000000-00000000-00000000
CPUID 00000004  1C004121-02C0003F-0000003F-00000000 [SL 00]
CPUID 00000004  1C004122-01C0003F-0000003F-00000000 [SL 01]
CPUID 00000004  1C004143-01C0003F-000003FF-00000000 [SL 02]
CPUID 00000004  1C03C163-03C0003F-00001FFF-00000006 [SL 03]
CPUID 00000005  00000040-00000040-00000003-11121020
CPUID 00000006  0017AFF7-00000002-00000009-00000000
CPUID 00000007  00000000-F2BF27EF-40405F4E-BC000410
CPUID 00000008  00000000-00000000-00000000-00000000
CPUID 00000009  00000000-00000000-00000000-00000000
CPUID 0000000A  08300805-00000000-0000000F-00008604
CPUID 0000000B  00000001-00000002-00000100-00000003 [SL 00]
CPUID 0000000B  00000004-00000008-00000201-00000003 [SL 01]
CPUID 0000000C  00000000-00000000-00000000-00000000
CPUID 0000000D  000002E7-00000A80-00000A88-00000000 [SL 00]
CPUID 0000000D  0000000F-00000A00-00002100-00000000 [SL 01]
CPUID 0000000D  00000100-00000240-00000000-00000000 [SL 02]
CPUID 0000000D  00000040-00000440-00000000-00000000 [SL 05]
CPUID 0000000D  00000200-00000480-00000000-00000000 [SL 06]
CPUID 0000000D  00000400-00000680-00000000-00000000 [SL 07]
CPUID 0000000D  00000080-00000000-00000001-00000000 [SL 08]
CPUID 0000000D  00000008-00000A80-00000000-00000000 [SL 09]
CPUID 0000000D  00000008-00000000-00000001-00000000 [SL 0D]
CPUID 0000000E  00000000-00000000-00000000-00000000
CPUID 0000000F  00000000-00000000-00000000-00000000 [SL 00]
CPUID 0000000F  00000000-00000000-00000000-00000000 [SL 01]
CPUID 00000010  00000000-00000000-00000000-00000000 [SL 00]
CPUID 00000010  00000000-00000000-00000000-00000000 [SL 01]
CPUID 00000011  00000000-00000000-00000000-00000000
CPUID 00000012  00000063-00000001-00000000-00002F1F [SL 00]
CPUID 00000012  000000B6-00000000-000002E7-00000000 [SL 01]
CPUID 00000012  400C0001-00000000-05CC0001-00000000 [SL 02]
CPUID 00000013  00000000-00000000-00000000-00000000
CPUID 00000014  00000001-0000000F-00000007-00000000 [SL 00]
CPUID 00000014  02490002-003F1FFF-00000000-00000000 [SL 01]
CPUID 00000015  00000002-0000004E-0249F000-00000000
CPUID 00000016  000005DC-00000F3C-00000064-00000000
CPUID 00000017  00000000-00000000-00000000-00000000 [SL 00]
CPUID 00000018  00000007-00000000-00000000-00000000 [SL 00]
CPUID 00000018  00000000-00080007-00000001-00004122 [SL 01]
CPUID 00000018  00000000-0010000F-00000001-00004125 [SL 02]
CPUID 00000018  00000000-00040001-00000010-00004024 [SL 03]
CPUID 00000018  00000000-00040006-00000008-00004024 [SL 04]
CPUID 00000018  00000000-00080008-00000001-00004124 [SL 05]
CPUID 00000018  00000000-00080007-00000080-00004043 [SL 06]
CPUID 00000018  00000000-00080009-00000080-00004043 [SL 07]
CPUID 00000019  00000000-00000000-00000000-00000000
CPUID 0000001A  00000000-00000000-00000000-00000000
CPUID 0000001B  00000000-00000000-00000000-00000000
CPUID 80000000  80000008-00000000-00000000-00000000
CPUID 80000001  00000000-00000000-00000121-2C100000
CPUID 80000002  65746E49-2952286C-726F4320-4D542865 [Intel(R) Core(TM]
CPUID 80000003  37692029-3630312D-20374735-20555043 [) i7-1065G7 CPU ]
CPUID 80000004  2E312040-48473033-0000007A-00000000 [@ 1.30GHz]
CPUID 80000005  00000000-00000000-00000000-00000000
CPUID 80000006  00000000-00000000-01006040-00000000
CPUID 80000007  00000000-00000000-00000000-00000100
CPUID 80000008  00003027-00000000-00000000-00000000
 
CPUID Registers (CPU #4):
CPUID 00000000  0000001B-756E6547-6C65746E-49656E69 [GenuineIntel]
CPUID 00000001  000706E5-04100800-7FFAFBBF-BFEBFBFF
CPUID 00000002  00FEFF01-000000F0-00000000-00000000
CPUID 00000003  00000000-00000000-00000000-00000000
CPUID 00000004  1C004121-02C0003F-0000003F-00000000 [SL 00]
CPUID 00000004  1C004122-01C0003F-0000003F-00000000 [SL 01]
CPUID 00000004  1C004143-01C0003F-000003FF-00000000 [SL 02]
CPUID 00000004  1C03C163-03C0003F-00001FFF-00000006 [SL 03]
CPUID 00000005  00000040-00000040-00000003-11121020
CPUID 00000006  0017AFF7-00000002-00000009-00000000
CPUID 00000007  00000000-F2BF27EF-40405F4E-BC000410
CPUID 00000008  00000000-00000000-00000000-00000000
CPUID 00000009  00000000-00000000-00000000-00000000
CPUID 0000000A  08300805-00000000-0000000F-00008604
CPUID 0000000B  00000001-00000002-00000100-00000004 [SL 00]
CPUID 0000000B  00000004-00000008-00000201-00000004 [SL 01]
CPUID 0000000C  00000000-00000000-00000000-00000000
CPUID 0000000D  000002E7-00000A80-00000A88-00000000 [SL 00]
CPUID 0000000D  0000000F-00000A00-00002100-00000000 [SL 01]
CPUID 0000000D  00000100-00000240-00000000-00000000 [SL 02]
CPUID 0000000D  00000040-00000440-00000000-00000000 [SL 05]
CPUID 0000000D  00000200-00000480-00000000-00000000 [SL 06]
CPUID 0000000D  00000400-00000680-00000000-00000000 [SL 07]
CPUID 0000000D  00000080-00000000-00000001-00000000 [SL 08]
CPUID 0000000D  00000008-00000A80-00000000-00000000 [SL 09]
CPUID 0000000D  00000008-00000000-00000001-00000000 [SL 0D]
CPUID 0000000E  00000000-00000000-00000000-00000000
CPUID 0000000F  00000000-00000000-00000000-00000000 [SL 00]
CPUID 0000000F  00000000-00000000-00000000-00000000 [SL 01]
CPUID 00000010  00000000-00000000-00000000-00000000 [SL 00]
CPUID 00000010  00000000-00000000-00000000-00000000 [SL 01]
CPUID 00000011  00000000-00000000-00000000-00000000
CPUID 00000012  00000063-00000001-00000000-00002F1F [SL 00]
CPUID 00000012  000000B6-00000000-000002E7-00000000 [SL 01]
CPUID 00000012  400C0001-00000000-05CC0001-00000000 [SL 02]
CPUID 00000013  00000000-00000000-00000000-00000000
CPUID 00000014  00000001-0000000F-00000007-00000000 [SL 00]
CPUID 00000014  02490002-003F1FFF-00000000-00000000 [SL 01]
CPUID 00000015  00000002-0000004E-0249F000-00000000
CPUID 00000016  000005DC-00000F3C-00000064-00000000
CPUID 00000017  00000000-00000000-00000000-00000000 [SL 00]
CPUID 00000018  00000007-00000000-00000000-00000000 [SL 00]
CPUID 00000018  00000000-00080007-00000001-00004122 [SL 01]
CPUID 00000018  00000000-0010000F-00000001-00004125 [SL 02]
CPUID 00000018  00000000-00040001-00000010-00004024 [SL 03]
CPUID 00000018  00000000-00040006-00000008-00004024 [SL 04]
CPUID 00000018  00000000-00080008-00000001-00004124 [SL 05]
CPUID 00000018  00000000-00080007-00000080-00004043 [SL 06]
CPUID 00000018  00000000-00080009-00000080-00004043 [SL 07]
CPUID 00000019  00000000-00000000-00000000-00000000
CPUID 0000001A  00000000-00000000-00000000-00000000
CPUID 0000001B  00000000-00000000-00000000-00000000
CPUID 80000000  80000008-00000000-00000000-00000000
CPUID 80000001  00000000-00000000-00000121-2C100000
CPUID 80000002  65746E49-2952286C-726F4320-4D542865 [Intel(R) Core(TM]
CPUID 80000003  37692029-3630312D-20374735-20555043 [) i7-1065G7 CPU ]
CPUID 80000004  2E312040-48473033-0000007A-00000000 [@ 1.30GHz]
CPUID 80000005  00000000-00000000-00000000-00000000
CPUID 80000006  00000000-00000000-01006040-00000000
CPUID 80000007  00000000-00000000-00000000-00000100
CPUID 80000008  00003027-00000000-00000000-00000000
 
CPUID Registers (CPU #5 Virtual):
CPUID 00000000  0000001B-756E6547-6C65746E-49656E69 [GenuineIntel]
CPUID 00000001  000706E5-05100800-7FFAFBBF-BFEBFBFF
CPUID 00000002  00FEFF01-000000F0-00000000-00000000
CPUID 00000003  00000000-00000000-00000000-00000000
CPUID 00000004  1C004121-02C0003F-0000003F-00000000 [SL 00]
CPUID 00000004  1C004122-01C0003F-0000003F-00000000 [SL 01]
CPUID 00000004  1C004143-01C0003F-000003FF-00000000 [SL 02]
CPUID 00000004  1C03C163-03C0003F-00001FFF-00000006 [SL 03]
CPUID 00000005  00000040-00000040-00000003-11121020
CPUID 00000006  0017AFF7-00000002-00000009-00000000
CPUID 00000007  00000000-F2BF27EF-40405F4E-BC000410
CPUID 00000008  00000000-00000000-00000000-00000000
CPUID 00000009  00000000-00000000-00000000-00000000
CPUID 0000000A  08300805-00000000-0000000F-00008604
CPUID 0000000B  00000001-00000002-00000100-00000005 [SL 00]
CPUID 0000000B  00000004-00000008-00000201-00000005 [SL 01]
CPUID 0000000C  00000000-00000000-00000000-00000000
CPUID 0000000D  000002E7-00000A80-00000A88-00000000 [SL 00]
CPUID 0000000D  0000000F-00000A00-00002100-00000000 [SL 01]
CPUID 0000000D  00000100-00000240-00000000-00000000 [SL 02]
CPUID 0000000D  00000040-00000440-00000000-00000000 [SL 05]
CPUID 0000000D  00000200-00000480-00000000-00000000 [SL 06]
CPUID 0000000D  00000400-00000680-00000000-00000000 [SL 07]
CPUID 0000000D  00000080-00000000-00000001-00000000 [SL 08]
CPUID 0000000D  00000008-00000A80-00000000-00000000 [SL 09]
CPUID 0000000D  00000008-00000000-00000001-00000000 [SL 0D]
CPUID 0000000E  00000000-00000000-00000000-00000000
CPUID 0000000F  00000000-00000000-00000000-00000000 [SL 00]
CPUID 0000000F  00000000-00000000-00000000-00000000 [SL 01]
CPUID 00000010  00000000-00000000-00000000-00000000 [SL 00]
CPUID 00000010  00000000-00000000-00000000-00000000 [SL 01]
CPUID 00000011  00000000-00000000-00000000-00000000
CPUID 00000012  00000063-00000001-00000000-00002F1F [SL 00]
CPUID 00000012  000000B6-00000000-000002E7-00000000 [SL 01]
CPUID 00000012  400C0001-00000000-05CC0001-00000000 [SL 02]
CPUID 00000013  00000000-00000000-00000000-00000000
CPUID 00000014  00000001-0000000F-00000007-00000000 [SL 00]
CPUID 00000014  02490002-003F1FFF-00000000-00000000 [SL 01]
CPUID 00000015  00000002-0000004E-0249F000-00000000
CPUID 00000016  000005DC-00000F3C-00000064-00000000
CPUID 00000017  00000000-00000000-00000000-00000000 [SL 00]
CPUID 00000018  00000007-00000000-00000000-00000000 [SL 00]
CPUID 00000018  00000000-00080007-00000001-00004122 [SL 01]
CPUID 00000018  00000000-0010000F-00000001-00004125 [SL 02]
CPUID 00000018  00000000-00040001-00000010-00004024 [SL 03]
CPUID 00000018  00000000-00040006-00000008-00004024 [SL 04]
CPUID 00000018  00000000-00080008-00000001-00004124 [SL 05]
CPUID 00000018  00000000-00080007-00000080-00004043 [SL 06]
CPUID 00000018  00000000-00080009-00000080-00004043 [SL 07]
CPUID 00000019  00000000-00000000-00000000-00000000
CPUID 0000001A  00000000-00000000-00000000-00000000
CPUID 0000001B  00000000-00000000-00000000-00000000
CPUID 80000000  80000008-00000000-00000000-00000000
CPUID 80000001  00000000-00000000-00000121-2C100000
CPUID 80000002  65746E49-2952286C-726F4320-4D542865 [Intel(R) Core(TM]
CPUID 80000003  37692029-3630312D-20374735-20555043 [) i7-1065G7 CPU ]
CPUID 80000004  2E312040-48473033-0000007A-00000000 [@ 1.30GHz]
CPUID 80000005  00000000-00000000-00000000-00000000
CPUID 80000006  00000000-00000000-01006040-00000000
CPUID 80000007  00000000-00000000-00000000-00000100
CPUID 80000008  00003027-00000000-00000000-00000000
 
CPUID Registers (CPU #6):
CPUID 00000000  0000001B-756E6547-6C65746E-49656E69 [GenuineIntel]
CPUID 00000001  000706E5-06100800-7FFAFBBF-BFEBFBFF
CPUID 00000002  00FEFF01-000000F0-00000000-00000000
CPUID 00000003  00000000-00000000-00000000-00000000
CPUID 00000004  1C004121-02C0003F-0000003F-00000000 [SL 00]
CPUID 00000004  1C004122-01C0003F-0000003F-00000000 [SL 01]
CPUID 00000004  1C004143-01C0003F-000003FF-00000000 [SL 02]
CPUID 00000004  1C03C163-03C0003F-00001FFF-00000006 [SL 03]
CPUID 00000005  00000040-00000040-00000003-11121020
CPUID 00000006  0017AFF7-00000002-00000009-00000000
CPUID 00000007  00000000-F2BF27EF-40405F4E-BC000410
CPUID 00000008  00000000-00000000-00000000-00000000
CPUID 00000009  00000000-00000000-00000000-00000000
CPUID 0000000A  08300805-00000000-0000000F-00008604
CPUID 0000000B  00000001-00000002-00000100-00000006 [SL 00]
CPUID 0000000B  00000004-00000008-00000201-00000006 [SL 01]
CPUID 0000000C  00000000-00000000-00000000-00000000
CPUID 0000000D  000002E7-00000A80-00000A88-00000000 [SL 00]
CPUID 0000000D  0000000F-00000A00-00002100-00000000 [SL 01]
CPUID 0000000D  00000100-00000240-00000000-00000000 [SL 02]
CPUID 0000000D  00000040-00000440-00000000-00000000 [SL 05]
CPUID 0000000D  00000200-00000480-00000000-00000000 [SL 06]
CPUID 0000000D  00000400-00000680-00000000-00000000 [SL 07]
CPUID 0000000D  00000080-00000000-00000001-00000000 [SL 08]
CPUID 0000000D  00000008-00000A80-00000000-00000000 [SL 09]
CPUID 0000000D  00000008-00000000-00000001-00000000 [SL 0D]
CPUID 0000000E  00000000-00000000-00000000-00000000
CPUID 0000000F  00000000-00000000-00000000-00000000 [SL 00]
CPUID 0000000F  00000000-00000000-00000000-00000000 [SL 01]
CPUID 00000010  00000000-00000000-00000000-00000000 [SL 00]
CPUID 00000010  00000000-00000000-00000000-00000000 [SL 01]
CPUID 00000011  00000000-00000000-00000000-00000000
CPUID 00000012  00000063-00000001-00000000-00002F1F [SL 00]
CPUID 00000012  000000B6-00000000-000002E7-00000000 [SL 01]
CPUID 00000012  400C0001-00000000-05CC0001-00000000 [SL 02]
CPUID 00000013  00000000-00000000-00000000-00000000
CPUID 00000014  00000001-0000000F-00000007-00000000 [SL 00]
CPUID 00000014  02490002-003F1FFF-00000000-00000000 [SL 01]
CPUID 00000015  00000002-0000004E-0249F000-00000000
CPUID 00000016  000005DC-00000F3C-00000064-00000000
CPUID 00000017  00000000-00000000-00000000-00000000 [SL 00]
CPUID 00000018  00000007-00000000-00000000-00000000 [SL 00]
CPUID 00000018  00000000-00080007-00000001-00004122 [SL 01]
CPUID 00000018  00000000-0010000F-00000001-00004125 [SL 02]
CPUID 00000018  00000000-00040001-00000010-00004024 [SL 03]
CPUID 00000018  00000000-00040006-00000008-00004024 [SL 04]
CPUID 00000018  00000000-00080008-00000001-00004124 [SL 05]
CPUID 00000018  00000000-00080007-00000080-00004043 [SL 06]
CPUID 00000018  00000000-00080009-00000080-00004043 [SL 07]
CPUID 00000019  00000000-00000000-00000000-00000000
CPUID 0000001A  00000000-00000000-00000000-00000000
CPUID 0000001B  00000000-00000000-00000000-00000000
CPUID 80000000  80000008-00000000-00000000-00000000
CPUID 80000001  00000000-00000000-00000121-2C100000
CPUID 80000002  65746E49-2952286C-726F4320-4D542865 [Intel(R) Core(TM]
CPUID 80000003  37692029-3630312D-20374735-20555043 [) i7-1065G7 CPU ]
CPUID 80000004  2E312040-48473033-0000007A-00000000 [@ 1.30GHz]
CPUID 80000005  00000000-00000000-00000000-00000000
CPUID 80000006  00000000-00000000-01006040-00000000
CPUID 80000007  00000000-00000000-00000000-00000100
CPUID 80000008  00003027-00000000-00000000-00000000
 
CPUID Registers (CPU #7 Virtual):
CPUID 00000000  0000001B-756E6547-6C65746E-49656E69 [GenuineIntel]
CPUID 00000001  000706E5-07100800-7FFAFBBF-BFEBFBFF
CPUID 00000002  00FEFF01-000000F0-00000000-00000000
CPUID 00000003  00000000-00000000-00000000-00000000
CPUID 00000004  1C004121-02C0003F-0000003F-00000000 [SL 00]
CPUID 00000004  1C004122-01C0003F-0000003F-00000000 [SL 01]
CPUID 00000004  1C004143-01C0003F-000003FF-00000000 [SL 02]
CPUID 00000004  1C03C163-03C0003F-00001FFF-00000006 [SL 03]
CPUID 00000005  00000040-00000040-00000003-11121020
CPUID 00000006  0017AFF7-00000002-00000009-00000000
CPUID 00000007  00000000-F2BF27EF-40405F4E-BC000410
CPUID 00000008  00000000-00000000-00000000-00000000
CPUID 00000009  00000000-00000000-00000000-00000000
CPUID 0000000A  08300805-00000000-0000000F-00008604
CPUID 0000000B  00000001-00000002-00000100-00000007 [SL 00]
CPUID 0000000B  00000004-00000008-00000201-00000007 [SL 01]
CPUID 0000000C  00000000-00000000-00000000-00000000
CPUID 0000000D  000002E7-00000A80-00000A88-00000000 [SL 00]
CPUID 0000000D  0000000F-00000A00-00002100-00000000 [SL 01]
CPUID 0000000D  00000100-00000240-00000000-00000000 [SL 02]
CPUID 0000000D  00000040-00000440-00000000-00000000 [SL 05]
CPUID 0000000D  00000200-00000480-00000000-00000000 [SL 06]
CPUID 0000000D  00000400-00000680-00000000-00000000 [SL 07]
CPUID 0000000D  00000080-00000000-00000001-00000000 [SL 08]
CPUID 0000000D  00000008-00000A80-00000000-00000000 [SL 09]
CPUID 0000000D  00000008-00000000-00000001-00000000 [SL 0D]
CPUID 0000000E  00000000-00000000-00000000-00000000
CPUID 0000000F  00000000-00000000-00000000-00000000 [SL 00]
CPUID 0000000F  00000000-00000000-00000000-00000000 [SL 01]
CPUID 00000010  00000000-00000000-00000000-00000000 [SL 00]
CPUID 00000010  00000000-00000000-00000000-00000000 [SL 01]
CPUID 00000011  00000000-00000000-00000000-00000000
CPUID 00000012  00000063-00000001-00000000-00002F1F [SL 00]
CPUID 00000012  000000B6-00000000-000002E7-00000000 [SL 01]
CPUID 00000012  400C0001-00000000-05CC0001-00000000 [SL 02]
CPUID 00000013  00000000-00000000-00000000-00000000
CPUID 00000014  00000001-0000000F-00000007-00000000 [SL 00]
CPUID 00000014  02490002-003F1FFF-00000000-00000000 [SL 01]
CPUID 00000015  00000002-0000004E-0249F000-00000000
CPUID 00000016  000005DC-00000F3C-00000064-00000000
CPUID 00000017  00000000-00000000-00000000-00000000 [SL 00]
CPUID 00000018  00000007-00000000-00000000-00000000 [SL 00]
CPUID 00000018  00000000-00080007-00000001-00004122 [SL 01]
CPUID 00000018  00000000-0010000F-00000001-00004125 [SL 02]
CPUID 00000018  00000000-00040001-00000010-00004024 [SL 03]
CPUID 00000018  00000000-00040006-00000008-00004024 [SL 04]
CPUID 00000018  00000000-00080008-00000001-00004124 [SL 05]
CPUID 00000018  00000000-00080007-00000080-00004043 [SL 06]
CPUID 00000018  00000000-00080009-00000080-00004043 [SL 07]
CPUID 00000019  00000000-00000000-00000000-00000000
CPUID 0000001A  00000000-00000000-00000000-00000000
CPUID 0000001B  00000000-00000000-00000000-00000000
CPUID 80000000  80000008-00000000-00000000-00000000
CPUID 80000001  00000000-00000000-00000121-2C100000
CPUID 80000002  65746E49-2952286C-726F4320-4D542865 [Intel(R) Core(TM]
CPUID 80000003  37692029-3630312D-20374735-20555043 [) i7-1065G7 CPU ]
CPUID 80000004  2E312040-48473033-0000007A-00000000 [@ 1.30GHz]
CPUID 80000005  00000000-00000000-00000000-00000000
CPUID 80000006  00000000-00000000-01006040-00000000
CPUID 80000007  00000000-00000000-00000000-00000100
CPUID 80000008  00003027-00000000-00000000-00000000
 
MSR Registers (CPU #0):
MSR 00000017  001C-0000-0000-0000 [PlatID = 7]
MSR 0000001B  0000-0000-FEE0-0900
MSR 00000035  0000-0000-0004-0008
MSR 00000048  0000-0000-0000-0000
MSR 00000049  < FAILED >
MSR 0000008B  0000-0056-0000-0000
MSR 000000CE  0004-043C-F181-0F00 [eD = 0]
MSR 000000E7  0000-0045-4F24-EB01 [S200]
MSR 000000E7  0000-0045-50EC-2990 [S200]
MSR 000000E7  0000-0045-5225-6CF4
MSR 000000E8  0000-004E-86C9-B2E3 [S200]
MSR 000000E8  0000-004E-894D-0361 [S200]
MSR 000000E8  0000-004E-89AB-F639
MSR 0000010A  0000-0000-0000-002B
MSR 0000010B  < FAILED >
MSR 00000194  0000-0000-0011-0000
MSR 00000198  0000-170A-0000-0B00 [S200]
MSR 00000198  0000-16CC-0000-0B00 [S200]
MSR 00000198  0000-16B8-0000-0B00
MSR 00000199  0000-0000-0000-0D00
MSR 0000019A  0000-0000-0000-0000
MSR 0000019B  0000-0000-0000-0010
MSR 0000019C  0000-0000-8832-0802 [S200]
MSR 0000019C  0000-0000-8833-0802 [S200]
MSR 0000019C  0000-0000-8833-0802
MSR 0000019D  0000-0000-0000-0000
MSR 000001A0  0000-0000-0085-0089
MSR 000001A2  0000-0000-0A64-0000
MSR 000001A4  0000-0000-0000-0000
MSR 000001AA  0000-0000-0040-1CC0
MSR 000001AC  < FAILED >
MSR 000001AD  2323-2323-2323-2627
MSR 000001B0  0000-0000-0000-0009
MSR 000001B1  0000-0000-8830-0802
MSR 000001B2  0000-0000-0000-0000
MSR 000001FC  0000-0000-0024-005F
MSR 00000300  < FAILED >
MSR 0000030A  0000-0000-0000-0000 [S200]
MSR 0000030A  0000-0000-0000-0000 [S200]
MSR 0000030A  0000-0000-0000-0000
MSR 0000030B  0000-0000-0000-0000 [S200]
MSR 0000030B  0000-0000-0000-0000 [S200]
MSR 0000030B  0000-0000-0000-0000
MSR 00000480  00DA-0500-0000-0013
MSR 00000481  0000-00FF-0000-0016
MSR 00000482  FFF9-FFFE-0401-E172
MSR 00000483  037F-FFFF-0003-6DFF
MSR 00000484  0006-FFFF-0000-11FF
MSR 00000485  0000-0000-7004-C1E7
MSR 00000486  0000-0000-8000-0021
MSR 00000487  0000-0000-FFFF-FFFF
MSR 00000488  0000-0000-0000-2000
MSR 00000489  0000-0000-0077-2FFF
MSR 0000048A  0000-0000-0000-002E
MSR 0000048B  335F-BFFF-0000-0000
MSR 0000048C  0000-0F01-0673-4141
MSR 0000048D  0000-00FF-0000-0016
MSR 0000048E  FFF9-FFFE-0400-6172
MSR 0000048F  037F-FFFF-0003-6DFB
MSR 00000490  0006-FFFF-0000-11FB
MSR 00000601  0000-0000-0000-0328
MSR 00000602  < FAILED >
MSR 00000603  0036-0000-0036-3636
MSR 00000604  < FAILED >
MSR 00000606  0000-0000-000A-0E03
MSR 0000060A  0000-0000-0000-0000
MSR 0000060B  0000-0000-0000-0000
MSR 0000060C  0000-0000-0000-0000
MSR 0000060D  0000-001C-6AB1-CBB0
MSR 00000610  0042-8170-00DD-8078
MSR 00000611  0000-0000-035C-B1EA [S200]
MSR 00000611  0000-0000-035C-C182 [S200]
MSR 00000611  0000-0000-035C-DCD0
MSR 00000613  0000-0000-0000-0000
MSR 00000614  0000-0000-0000-0078
MSR 00000618  0054-00DE-0000-0000
MSR 00000619  0000-0000-0000-0000 [S200]
MSR 00000619  0000-0000-0000-0000 [S200]
MSR 00000619  0000-0000-0000-0000
MSR 0000061B  0000-0000-0000-0000
MSR 0000061C  < FAILED >
MSR 0000061E  < FAILED >
MSR 00000620  0000-0000-0000-0424
MSR 00000621  0000-0000-1524-0008
MSR 00000638  0000-0000-0000-0000
MSR 00000639  0000-0000-01FD-3C3F [S200]
MSR 00000639  0000-0000-01FD-4601 [S200]
MSR 00000639  0000-0000-01FD-4A37
MSR 0000063A  0000-0000-0000-0009
MSR 0000063B  < FAILED >
MSR 00000640  0000-0000-0000-0000
MSR 00000641  0000-0000-0019-E514 [S200]
MSR 00000641  0000-0000-0019-E54C [S200]
MSR 00000641  0000-0000-0019-E59A
MSR 00000642  0000-0000-0000-000D
MSR 00000648  0000-0000-0000-000D
MSR 00000649  0000-0000-000A-0060
MSR 0000064A  0000-0000-000F-00C8
MSR 0000064B  0000-0000-0000-0000
MSR 0000064C  0000-0000-0000-000C
MSR 00000690  0000-0000-0000-0000
MSR 000006B0  0000-0000-0100-0000
MSR 000006B1  0000-0000-0100-0000
MSR 00000770  0000-0000-0000-0001
MSR 00000771  0000-0000-010D-0D27
MSR 00000772  0000-019E-B200-2701
MSR 00000773  0000-0000-0000-0005
MSR 00000774  0000-059E-B200-2701
MSR 00000777  0000-0000-0000-0004
 
MSR Registers (CPU #1):
MSR 00000017  001C-0000-0000-0000 [PlatID = 7]
MSR 0000001B  0000-0000-FEE0-0800
MSR 00000035  0000-0000-0004-0008
MSR 00000048  0000-0000-0000-0000
MSR 00000049  < FAILED >
MSR 0000008B  0000-0056-0000-0000
MSR 000000CE  0004-043C-F181-0F00 [eD = 0]
MSR 000000E7  0000-003F-1247-BDD6
MSR 000000E8  0000-0048-B9FE-1761
MSR 0000010A  0000-0000-0000-002B
MSR 0000010B  < FAILED >
MSR 00000194  0000-0000-0011-0000
MSR 00000198  0000-1770-0000-0D00
MSR 00000199  0000-0000-0000-0D00
MSR 0000019A  0000-0000-0000-0000
MSR 0000019B  0000-0000-0000-0010
MSR 0000019C  0000-0000-8834-0802
MSR 0000019D  0000-0000-0000-0000
MSR 000001A0  0000-0000-0085-0089
MSR 000001A2  0000-0000-0A64-0000
MSR 000001A4  0000-0000-0000-0000
MSR 000001AA  0000-0000-0040-1CC0
MSR 000001AC  < FAILED >
MSR 000001AD  2323-2323-2323-2627
MSR 000001B0  0000-0000-0000-0009
MSR 000001B1  0000-0000-8831-0802
MSR 000001B2  0000-0000-0000-0000
MSR 000001FC  0000-0000-0024-005F
MSR 00000300  < FAILED >
MSR 0000030A  0000-0000-0000-0000
MSR 0000030B  0000-0000-0000-0000
MSR 00000480  00DA-0500-0000-0013
MSR 00000481  0000-00FF-0000-0016
MSR 00000482  FFF9-FFFE-0401-E172
MSR 00000483  037F-FFFF-0003-6DFF
MSR 00000484  0006-FFFF-0000-11FF
MSR 00000485  0000-0000-7004-C1E7
MSR 00000486  0000-0000-8000-0021
MSR 00000487  0000-0000-FFFF-FFFF
MSR 00000488  0000-0000-0000-2000
MSR 00000489  0000-0000-0077-2FFF
MSR 0000048A  0000-0000-0000-002E
MSR 0000048B  335F-BFFF-0000-0000
MSR 0000048C  0000-0F01-0673-4141
MSR 0000048D  0000-00FF-0000-0016
MSR 0000048E  FFF9-FFFE-0400-6172
MSR 0000048F  037F-FFFF-0003-6DFB
MSR 00000490  0006-FFFF-0000-11FB
MSR 00000601  0000-0000-0000-0328
MSR 00000602  < FAILED >
MSR 00000603  0036-0000-0036-3636
MSR 00000604  < FAILED >
MSR 00000606  0000-0000-000A-0E03
MSR 0000060A  0000-0000-0000-0000
MSR 0000060B  0000-0000-0000-0000
MSR 0000060C  0000-0000-0000-0000
MSR 0000060D  0000-001C-894C-33CB
MSR 00000610  0042-8170-00DD-8078
MSR 00000611  0000-0000-035D-5D8B
MSR 00000613  0000-0000-0000-0000
MSR 00000614  0000-0000-0000-0078
MSR 00000618  0054-00DE-0000-0000
MSR 00000619  0000-0000-0000-0000
MSR 0000061B  0000-0000-0000-0000
MSR 0000061C  < FAILED >
MSR 0000061E  < FAILED >
MSR 00000620  0000-0000-0000-0424
MSR 00000621  0000-0000-15B3-000B
MSR 00000638  0000-0000-0000-0000
MSR 00000639  0000-0000-01FD-542E
MSR 0000063A  0000-0000-0000-0009
MSR 0000063B  < FAILED >
MSR 00000640  0000-0000-0000-0000
MSR 00000641  0000-0000-0019-E59A
MSR 00000642  0000-0000-0000-000D
MSR 00000648  0000-0000-0000-000D
MSR 00000649  0000-0000-000A-0060
MSR 0000064A  0000-0000-000F-00C8
MSR 0000064B  0000-0000-0000-0000
MSR 0000064C  0000-0000-0000-000C
MSR 00000690  0000-0000-0000-0000
MSR 000006B0  0000-0000-0100-0000
MSR 000006B1  0000-0000-0100-0000
MSR 00000770  0000-0000-0000-0001
MSR 00000771  0000-0000-010D-0D27
MSR 00000772  0000-019E-B200-2701
MSR 00000773  0000-0000-0000-0005
MSR 00000774  0000-059E-B200-2701
MSR 00000777  0000-0000-0000-0004
 
MSR Registers (CPU #2):
MSR 00000017  001C-0000-0000-0000 [PlatID = 7]
MSR 0000001B  0000-0000-FEE0-0800
MSR 00000035  0000-0000-0004-0008
MSR 00000048  0000-0000-0000-0000
MSR 00000049  < FAILED >
MSR 0000008B  0000-0056-0000-0000
MSR 000000CE  0004-043C-F181-0F00 [eD = 0]
MSR 000000E7  0000-001C-2D11-EFE2
MSR 000000E8  0000-002B-782D-9B15
MSR 0000010A  0000-0000-0000-002B
MSR 0000010B  < FAILED >
MSR 00000194  0000-0000-0011-0000
MSR 00000198  0000-1785-0000-0D00
MSR 00000199  0000-0000-0000-0D00
MSR 0000019A  0000-0000-0000-0000
MSR 0000019B  0000-0000-0000-0010
MSR 0000019C  0000-0000-8834-0802
MSR 0000019D  0000-0000-0000-0000
MSR 000001A0  0000-0000-0085-0089
MSR 000001A2  0000-0000-0A64-0000
MSR 000001A4  0000-0000-0000-0000
MSR 000001AA  0000-0000-0040-1CC0
MSR 000001AC  < FAILED >
MSR 000001AD  2323-2323-2323-2627
MSR 000001B0  0000-0000-0000-0009
MSR 000001B1  0000-0000-8831-0802
MSR 000001B2  0000-0000-0000-0000
MSR 000001FC  0000-0000-0024-005F
MSR 00000300  < FAILED >
MSR 0000030A  0000-0000-0000-0000
MSR 0000030B  0000-0000-0000-0000
MSR 00000480  00DA-0500-0000-0013
MSR 00000481  0000-00FF-0000-0016
MSR 00000482  FFF9-FFFE-0401-E172
MSR 00000483  037F-FFFF-0003-6DFF
MSR 00000484  0006-FFFF-0000-11FF
MSR 00000485  0000-0000-7004-C1E7
MSR 00000486  0000-0000-8000-0021
MSR 00000487  0000-0000-FFFF-FFFF
MSR 00000488  0000-0000-0000-2000
MSR 00000489  0000-0000-0077-2FFF
MSR 0000048A  0000-0000-0000-002E
MSR 0000048B  335F-BFFF-0000-0000
MSR 0000048C  0000-0F01-0673-4141
MSR 0000048D  0000-00FF-0000-0016
MSR 0000048E  FFF9-FFFE-0400-6172
MSR 0000048F  037F-FFFF-0003-6DFB
MSR 00000490  0006-FFFF-0000-11FB
MSR 00000601  0000-0000-0000-0328
MSR 00000602  < FAILED >
MSR 00000603  0036-0000-0036-3636
MSR 00000604  < FAILED >
MSR 00000606  0000-0000-000A-0E03
MSR 0000060A  0000-0000-0000-0000
MSR 0000060B  0000-0000-0000-0000
MSR 0000060C  0000-0000-0000-0000
MSR 0000060D  0000-001C-894C-33CB
MSR 00000610  0042-8170-00DD-8078
MSR 00000611  0000-0000-035D-5DB7
MSR 00000613  0000-0000-0000-0000
MSR 00000614  0000-0000-0000-0078
MSR 00000618  0054-00DE-0000-0000
MSR 00000619  0000-0000-0000-0000
MSR 0000061B  0000-0000-0000-0000
MSR 0000061C  < FAILED >
MSR 0000061E  < FAILED >
MSR 00000620  0000-0000-0000-0424
MSR 00000621  0000-0000-15C8-000B
MSR 00000638  0000-0000-0000-0000
MSR 00000639  0000-0000-01FD-5444
MSR 0000063A  0000-0000-0000-0009
MSR 0000063B  < FAILED >
MSR 00000640  0000-0000-0000-0000
MSR 00000641  0000-0000-0019-E59A
MSR 00000642  0000-0000-0000-000D
MSR 00000648  0000-0000-0000-000D
MSR 00000649  0000-0000-000A-0060
MSR 0000064A  0000-0000-000F-00C8
MSR 0000064B  0000-0000-0000-0000
MSR 0000064C  0000-0000-0000-000C
MSR 00000690  0000-0000-0000-0000
MSR 000006B0  0000-0000-0100-0000
MSR 000006B1  0000-0000-0100-0000
MSR 00000770  0000-0000-0000-0001
MSR 00000771  0000-0000-010D-0D27
MSR 00000772  0000-019E-B200-2701
MSR 00000773  0000-0000-0000-0005
MSR 00000774  0000-059E-B200-2701
MSR 00000777  0000-0000-0000-0004
 
MSR Registers (CPU #3):
MSR 00000017  001C-0000-0000-0000 [PlatID = 7]
MSR 0000001B  0000-0000-FEE0-0800
MSR 00000035  0000-0000-0004-0008
MSR 00000048  0000-0000-0000-0000
MSR 00000049  < FAILED >
MSR 0000008B  0000-0056-0000-0000
MSR 000000CE  0004-043C-F181-0F00 [eD = 0]
MSR 000000E7  0000-0012-58B0-6FB1
MSR 000000E8  0000-0019-F6A1-F811
MSR 0000010A  0000-0000-0000-002B
MSR 0000010B  < FAILED >
MSR 00000194  0000-0000-0011-0000
MSR 00000198  0000-1785-0000-0D00
MSR 00000199  0000-0000-0000-0D00
MSR 0000019A  0000-0000-0000-0000
MSR 0000019B  0000-0000-0000-0010
MSR 0000019C  0000-0000-8834-0802
MSR 0000019D  0000-0000-0000-0000
MSR 000001A0  0000-0000-0085-0089
MSR 000001A2  0000-0000-0A64-0000
MSR 000001A4  0000-0000-0000-0000
MSR 000001AA  0000-0000-0040-1CC0
MSR 000001AC  < FAILED >
MSR 000001AD  2323-2323-2323-2627
MSR 000001B0  0000-0000-0000-0009
MSR 000001B1  0000-0000-8830-0802
MSR 000001B2  0000-0000-0000-0000
MSR 000001FC  0000-0000-0024-005F
MSR 00000300  < FAILED >
MSR 0000030A  0000-0000-0000-0000
MSR 0000030B  0000-0000-0000-0000
MSR 00000480  00DA-0500-0000-0013
MSR 00000481  0000-00FF-0000-0016
MSR 00000482  FFF9-FFFE-0401-E172
MSR 00000483  037F-FFFF-0003-6DFF
MSR 00000484  0006-FFFF-0000-11FF
MSR 00000485  0000-0000-7004-C1E7
MSR 00000486  0000-0000-8000-0021
MSR 00000487  0000-0000-FFFF-FFFF
MSR 00000488  0000-0000-0000-2000
MSR 00000489  0000-0000-0077-2FFF
MSR 0000048A  0000-0000-0000-002E
MSR 0000048B  335F-BFFF-0000-0000
MSR 0000048C  0000-0F01-0673-4141
MSR 0000048D  0000-00FF-0000-0016
MSR 0000048E  FFF9-FFFE-0400-6172
MSR 0000048F  037F-FFFF-0003-6DFB
MSR 00000490  0006-FFFF-0000-11FB
MSR 00000601  0000-0000-0000-0328
MSR 00000602  < FAILED >
MSR 00000603  0036-0000-0036-3636
MSR 00000604  < FAILED >
MSR 00000606  0000-0000-000A-0E03
MSR 0000060A  0000-0000-0000-0000
MSR 0000060B  0000-0000-0000-0000
MSR 0000060C  0000-0000-0000-0000
MSR 0000060D  0000-001C-894C-33CB
MSR 00000610  0042-8170-00DD-8078
MSR 00000611  0000-0000-035D-5DE7
MSR 00000613  0000-0000-0000-0000
MSR 00000614  0000-0000-0000-0078
MSR 00000618  0054-00DE-0000-0000
MSR 00000619  0000-0000-0000-0000
MSR 0000061B  0000-0000-0000-0000
MSR 0000061C  < FAILED >
MSR 0000061E  < FAILED >
MSR 00000620  0000-0000-0000-0424
MSR 00000621  0000-0000-15C8-000B
MSR 00000638  0000-0000-0000-0000
MSR 00000639  0000-0000-01FD-545D
MSR 0000063A  0000-0000-0000-0009
MSR 0000063B  < FAILED >
MSR 00000640  0000-0000-0000-0000
MSR 00000641  0000-0000-0019-E59A
MSR 00000642  0000-0000-0000-000D
MSR 00000648  0000-0000-0000-000D
MSR 00000649  0000-0000-000A-0060
MSR 0000064A  0000-0000-000F-00C8
MSR 0000064B  0000-0000-0000-0000
MSR 0000064C  0000-0000-0000-000C
MSR 00000690  0000-0000-0000-0000
MSR 000006B0  0000-0000-0100-0000
MSR 000006B1  0000-0000-0100-0000
MSR 00000770  0000-0000-0000-0001
MSR 00000771  0000-0000-010D-0D27
MSR 00000772  0000-019E-B200-2701
MSR 00000773  0000-0000-0000-0005
MSR 00000774  0000-059E-B200-2701
MSR 00000777  0000-0000-0000-0004
 
MSR Registers (CPU #4):
MSR 00000017  001C-0000-0000-0000 [PlatID = 7]
MSR 0000001B  0000-0000-FEE0-0800
MSR 00000035  0000-0000-0004-0008
MSR 00000048  0000-0000-0000-0000
MSR 00000049  < FAILED >
MSR 0000008B  0000-0056-0000-0000
MSR 000000CE  0004-043C-F181-0F00 [eD = 0]
MSR 000000E7  0000-0013-57A9-34B7
MSR 000000E8  0000-0021-C570-2417
MSR 0000010A  0000-0000-0000-002B
MSR 0000010B  < FAILED >
MSR 00000194  0000-0000-0011-0000
MSR 00000198  0000-1770-0000-0D00
MSR 00000199  0000-0000-0000-0D00
MSR 0000019A  0000-0000-0000-0000
MSR 0000019B  0000-0000-0000-0010
MSR 0000019C  0000-0000-8833-0802
MSR 0000019D  0000-0000-0000-0000
MSR 000001A0  0000-0000-0085-0089
MSR 000001A2  0000-0000-0A64-0000
MSR 000001A4  0000-0000-0000-0000
MSR 000001AA  0000-0000-0040-1CC0
MSR 000001AC  < FAILED >
MSR 000001AD  2323-2323-2323-2627
MSR 000001B0  0000-0000-0000-0009
MSR 000001B1  0000-0000-8830-0802
MSR 000001B2  0000-0000-0000-0000
MSR 000001FC  0000-0000-0024-005F
MSR 00000300  < FAILED >
MSR 0000030A  0000-0000-0000-0000
MSR 0000030B  0000-0000-0000-0000
MSR 00000480  00DA-0500-0000-0013
MSR 00000481  0000-00FF-0000-0016
MSR 00000482  FFF9-FFFE-0401-E172
MSR 00000483  037F-FFFF-0003-6DFF
MSR 00000484  0006-FFFF-0000-11FF
MSR 00000485  0000-0000-7004-C1E7
MSR 00000486  0000-0000-8000-0021
MSR 00000487  0000-0000-FFFF-FFFF
MSR 00000488  0000-0000-0000-2000
MSR 00000489  0000-0000-0077-2FFF
MSR 0000048A  0000-0000-0000-002E
MSR 0000048B  335F-BFFF-0000-0000
MSR 0000048C  0000-0F01-0673-4141
MSR 0000048D  0000-00FF-0000-0016
MSR 0000048E  FFF9-FFFE-0400-6172
MSR 0000048F  037F-FFFF-0003-6DFB
MSR 00000490  0006-FFFF-0000-11FB
MSR 00000601  0000-0000-0000-0328
MSR 00000602  < FAILED >
MSR 00000603  0036-0000-0036-3636
MSR 00000604  < FAILED >
MSR 00000606  0000-0000-000A-0E03
MSR 0000060A  0000-0000-0000-0000
MSR 0000060B  0000-0000-0000-0000
MSR 0000060C  0000-0000-0000-0000
MSR 0000060D  0000-001C-894C-33CB
MSR 00000610  0042-8170-00DD-8078
MSR 00000611  0000-0000-035D-5E13
MSR 00000613  0000-0000-0000-0000
MSR 00000614  0000-0000-0000-0078
MSR 00000618  0054-00DE-0000-0000
MSR 00000619  0000-0000-0000-0000
MSR 0000061B  0000-0000-0000-0000
MSR 0000061C  < FAILED >
MSR 0000061E  < FAILED >
MSR 00000620  0000-0000-0000-0424
MSR 00000621  0000-0000-15B3-000B
MSR 00000638  0000-0000-0000-0000
MSR 00000639  0000-0000-01FD-5474
MSR 0000063A  0000-0000-0000-0009
MSR 0000063B  < FAILED >
MSR 00000640  0000-0000-0000-0000
MSR 00000641  0000-0000-0019-E59A
MSR 00000642  0000-0000-0000-000D
MSR 00000648  0000-0000-0000-000D
MSR 00000649  0000-0000-000A-0060
MSR 0000064A  0000-0000-000F-00C8
MSR 0000064B  0000-0000-0000-0000
MSR 0000064C  0000-0000-0000-000C
MSR 00000690  0000-0000-0000-0000
MSR 000006B0  0000-0000-0100-0000
MSR 000006B1  0000-0000-0100-0000
MSR 00000770  0000-0000-0000-0001
MSR 00000771  0000-0000-010D-0D27
MSR 00000772  0000-019E-B200-2701
MSR 00000773  0000-0000-0000-0005
MSR 00000774  0000-059E-B200-2701
MSR 00000777  0000-0000-0000-0004
 
MSR Registers (CPU #5):
MSR 00000017  001C-0000-0000-0000 [PlatID = 7]
MSR 0000001B  0000-0000-FEE0-0800
MSR 00000035  0000-0000-0004-0008
MSR 00000048  0000-0000-0000-0000
MSR 00000049  < FAILED >
MSR 0000008B  0000-0056-0000-0000
MSR 000000CE  0004-043C-F181-0F00 [eD = 0]
MSR 000000E7  0000-000F-B744-4483
MSR 000000E8  0000-001D-2EC4-3858
MSR 0000010A  0000-0000-0000-002B
MSR 0000010B  < FAILED >
MSR 00000194  0000-0000-0011-0000
MSR 00000198  0000-1785-0000-0D00
MSR 00000199  0000-0000-0000-0D00
MSR 0000019A  0000-0000-0000-0000
MSR 0000019B  0000-0000-0000-0010
MSR 0000019C  0000-0000-8832-0802
MSR 0000019D  0000-0000-0000-0000
MSR 000001A0  0000-0000-0085-0089
MSR 000001A2  0000-0000-0A64-0000
MSR 000001A4  0000-0000-0000-0000
MSR 000001AA  0000-0000-0040-1CC0
MSR 000001AC  < FAILED >
MSR 000001AD  2323-2323-2323-2627
MSR 000001B0  0000-0000-0000-0009
MSR 000001B1  0000-0000-882F-0802
MSR 000001B2  0000-0000-0000-0000
MSR 000001FC  0000-0000-0024-005F
MSR 00000300  < FAILED >
MSR 0000030A  0000-0000-0000-0000
MSR 0000030B  0000-0000-0000-0000
MSR 00000480  00DA-0500-0000-0013
MSR 00000481  0000-00FF-0000-0016
MSR 00000482  FFF9-FFFE-0401-E172
MSR 00000483  037F-FFFF-0003-6DFF
MSR 00000484  0006-FFFF-0000-11FF
MSR 00000485  0000-0000-7004-C1E7
MSR 00000486  0000-0000-8000-0021
MSR 00000487  0000-0000-FFFF-FFFF
MSR 00000488  0000-0000-0000-2000
MSR 00000489  0000-0000-0077-2FFF
MSR 0000048A  0000-0000-0000-002E
MSR 0000048B  335F-BFFF-0000-0000
MSR 0000048C  0000-0F01-0673-4141
MSR 0000048D  0000-00FF-0000-0016
MSR 0000048E  FFF9-FFFE-0400-6172
MSR 0000048F  037F-FFFF-0003-6DFB
MSR 00000490  0006-FFFF-0000-11FB
MSR 00000601  0000-0000-0000-0328
MSR 00000602  < FAILED >
MSR 00000603  0036-0000-0036-3636
MSR 00000604  < FAILED >
MSR 00000606  0000-0000-000A-0E03
MSR 0000060A  0000-0000-0000-0000
MSR 0000060B  0000-0000-0000-0000
MSR 0000060C  0000-0000-0000-0000
MSR 0000060D  0000-001C-894C-33CB
MSR 00000610  0042-8170-00DD-8078
MSR 00000611  0000-0000-035D-5E3B
MSR 00000613  0000-0000-0000-0000
MSR 00000614  0000-0000-0000-0078
MSR 00000618  0054-00DE-0000-0000
MSR 00000619  0000-0000-0000-0000
MSR 0000061B  0000-0000-0000-0000
MSR 0000061C  < FAILED >
MSR 0000061E  < FAILED >
MSR 00000620  0000-0000-0000-0424
MSR 00000621  0000-0000-15B3-000B
MSR 00000638  0000-0000-0000-0000
MSR 00000639  0000-0000-01FD-5489
MSR 0000063A  0000-0000-0000-0009
MSR 0000063B  < FAILED >
MSR 00000640  0000-0000-0000-0000
MSR 00000641  0000-0000-0019-E59A
MSR 00000642  0000-0000-0000-000D
MSR 00000648  0000-0000-0000-000D
MSR 00000649  0000-0000-000A-0060
MSR 0000064A  0000-0000-000F-00C8
MSR 0000064B  0000-0000-0000-0000
MSR 0000064C  0000-0000-0000-000C
MSR 00000690  0000-0000-0000-0000
MSR 000006B0  0000-0000-0100-0000
MSR 000006B1  0000-0000-0100-0000
MSR 00000770  0000-0000-0000-0001
MSR 00000771  0000-0000-010D-0D27
MSR 00000772  0000-019E-B200-2701
MSR 00000773  0000-0000-0000-0005
MSR 00000774  0000-059E-B200-2701
MSR 00000777  0000-0000-0000-0004
 
MSR Registers (CPU #6):
MSR 00000017  001C-0000-0000-0000 [PlatID = 7]
MSR 0000001B  0000-0000-FEE0-0800
MSR 00000035  0000-0000-0004-0008
MSR 00000048  0000-0000-0000-0000
MSR 00000049  < FAILED >
MSR 0000008B  0000-0056-0000-0000
MSR 000000CE  0004-043C-F181-0F00 [eD = 0]
MSR 000000E7  0000-0016-6C69-AE83
MSR 000000E8  0000-002B-C9C9-7CD8
MSR 0000010A  0000-0000-0000-002B
MSR 0000010B  < FAILED >
MSR 00000194  0000-0000-0011-0000
MSR 00000198  0000-175C-0000-0D00
MSR 00000199  0000-0000-0000-0D00
MSR 0000019A  0000-0000-0000-0000
MSR 0000019B  0000-0000-0000-0010
MSR 0000019C  0000-0000-8835-0802
MSR 0000019D  0000-0000-0000-0000
MSR 000001A0  0000-0000-0085-0089
MSR 000001A2  0000-0000-0A64-0000
MSR 000001A4  0000-0000-0000-0000
MSR 000001AA  0000-0000-0040-1CC0
MSR 000001AC  < FAILED >
MSR 000001AD  2323-2323-2323-2627
MSR 000001B0  0000-0000-0000-0009
MSR 000001B1  0000-0000-8830-0802
MSR 000001B2  0000-0000-0000-0000
MSR 000001FC  0000-0000-0024-005F
MSR 00000300  < FAILED >
MSR 0000030A  0000-0000-0000-0000
MSR 0000030B  0000-0000-0000-0000
MSR 00000480  00DA-0500-0000-0013
MSR 00000481  0000-00FF-0000-0016
MSR 00000482  FFF9-FFFE-0401-E172
MSR 00000483  037F-FFFF-0003-6DFF
MSR 00000484  0006-FFFF-0000-11FF
MSR 00000485  0000-0000-7004-C1E7
MSR 00000486  0000-0000-8000-0021
MSR 00000487  0000-0000-FFFF-FFFF
MSR 00000488  0000-0000-0000-2000
MSR 00000489  0000-0000-0077-2FFF
MSR 0000048A  0000-0000-0000-002E
MSR 0000048B  335F-BFFF-0000-0000
MSR 0000048C  0000-0F01-0673-4141
MSR 0000048D  0000-00FF-0000-0016
MSR 0000048E  FFF9-FFFE-0400-6172
MSR 0000048F  037F-FFFF-0003-6DFB
MSR 00000490  0006-FFFF-0000-11FB
MSR 00000601  0000-0000-0000-0328
MSR 00000602  < FAILED >
MSR 00000603  0036-0000-0036-3636
MSR 00000604  < FAILED >
MSR 00000606  0000-0000-000A-0E03
MSR 0000060A  0000-0000-0000-0000
MSR 0000060B  0000-0000-0000-0000
MSR 0000060C  0000-0000-0000-0000
MSR 0000060D  0000-001C-894C-33CB
MSR 00000610  0042-8170-00DD-8078
MSR 00000611  0000-0000-035D-5E66
MSR 00000613  0000-0000-0000-0000
MSR 00000614  0000-0000-0000-0078
MSR 00000618  0054-00DE-0000-0000
MSR 00000619  0000-0000-0000-0000
MSR 0000061B  0000-0000-0000-0000
MSR 0000061C  < FAILED >
MSR 0000061E  < FAILED >
MSR 00000620  0000-0000-0000-0424
MSR 00000621  0000-0000-15B3-000B
MSR 00000638  0000-0000-0000-0000
MSR 00000639  0000-0000-01FD-549F
MSR 0000063A  0000-0000-0000-0009
MSR 0000063B  < FAILED >
MSR 00000640  0000-0000-0000-0000
MSR 00000641  0000-0000-0019-E59A
MSR 00000642  0000-0000-0000-000D
MSR 00000648  0000-0000-0000-000D
MSR 00000649  0000-0000-000A-0060
MSR 0000064A  0000-0000-000F-00C8
MSR 0000064B  0000-0000-0000-0000
MSR 0000064C  0000-0000-0000-000C
MSR 00000690  0000-0000-0000-0000
MSR 000006B0  0000-0000-0100-0000
MSR 000006B1  0000-0000-0100-0000
MSR 00000770  0000-0000-0000-0001
MSR 00000771  0000-0000-010D-0D27
MSR 00000772  0000-019E-B200-2701
MSR 00000773  0000-0000-0000-0005
MSR 00000774  0000-059E-B200-2701
MSR 00000777  0000-0000-0000-0004
 
MSR Registers (CPU #7):
MSR 00000017  001C-0000-0000-0000 [PlatID = 7]
MSR 0000001B  0000-0000-FEE0-0800
MSR 00000035  0000-0000-0004-0008
MSR 00000048  0000-0000-0000-0000
MSR 00000049  < FAILED >
MSR 0000008B  0000-0056-0000-0000
MSR 000000CE  0004-043C-F181-0F00 [eD = 0]
MSR 000000E7  0000-0008-D558-788D
MSR 000000E8  0000-000E-CD8A-6F2E
MSR 0000010A  0000-0000-0000-002B
MSR 0000010B  < FAILED >
MSR 00000194  0000-0000-0011-0000
MSR 00000198  0000-175C-0000-0D00
MSR 00000199  0000-0000-0000-0D00
MSR 0000019A  0000-0000-0000-0000
MSR 0000019B  0000-0000-0000-0010
MSR 0000019C  0000-0000-8835-0802
MSR 0000019D  0000-0000-0000-0000
MSR 000001A0  0000-0000-0085-0089
MSR 000001A2  0000-0000-0A64-0000
MSR 000001A4  0000-0000-0000-0000
MSR 000001AA  0000-0000-0040-1CC0
MSR 000001AC  < FAILED >
MSR 000001AD  2323-2323-2323-2627
MSR 000001B0  0000-0000-0000-0009
MSR 000001B1  0000-0000-8830-0802
MSR 000001B2  0000-0000-0000-0000
MSR 000001FC  0000-0000-0024-005F
MSR 00000300  < FAILED >
MSR 0000030A  0000-0000-0000-0000
MSR 0000030B  0000-0000-0000-0000
MSR 00000480  00DA-0500-0000-0013
MSR 00000481  0000-00FF-0000-0016
MSR 00000482  FFF9-FFFE-0401-E172
MSR 00000483  037F-FFFF-0003-6DFF
MSR 00000484  0006-FFFF-0000-11FF
MSR 00000485  0000-0000-7004-C1E7
MSR 00000486  0000-0000-8000-0021
MSR 00000487  0000-0000-FFFF-FFFF
MSR 00000488  0000-0000-0000-2000
MSR 00000489  0000-0000-0077-2FFF
MSR 0000048A  0000-0000-0000-002E
MSR 0000048B  335F-BFFF-0000-0000
MSR 0000048C  0000-0F01-0673-4141
MSR 0000048D  0000-00FF-0000-0016
MSR 0000048E  FFF9-FFFE-0400-6172
MSR 0000048F  037F-FFFF-0003-6DFB
MSR 00000490  0006-FFFF-0000-11FB
MSR 00000601  0000-0000-0000-0328
MSR 00000602  < FAILED >
MSR 00000603  0036-0000-0036-3636
MSR 00000604  < FAILED >
MSR 00000606  0000-0000-000A-0E03
MSR 0000060A  0000-0000-0000-0000
MSR 0000060B  0000-0000-0000-0000
MSR 0000060C  0000-0000-0000-0000
MSR 0000060D  0000-001C-894C-33CB
MSR 00000610  0042-8170-00DD-8078
MSR 00000611  0000-0000-035D-5E8B
MSR 00000613  0000-0000-0000-0000
MSR 00000614  0000-0000-0000-0078
MSR 00000618  0054-00DE-0000-0000
MSR 00000619  0000-0000-0000-0000
MSR 0000061B  0000-0000-0000-0000
MSR 0000061C  < FAILED >
MSR 0000061E  < FAILED >
MSR 00000620  0000-0000-0000-0424
MSR 00000621  0000-0000-15C8-000B
MSR 00000638  0000-0000-0000-0000
MSR 00000639  0000-0000-01FD-54B2
MSR 0000063A  0000-0000-0000-0009
MSR 0000063B  < FAILED >
MSR 00000640  0000-0000-0000-0000
MSR 00000641  0000-0000-0019-E59A
MSR 00000642  0000-0000-0000-000D
MSR 00000648  0000-0000-0000-000D
MSR 00000649  0000-0000-000A-0060
MSR 0000064A  0000-0000-000F-00C8
MSR 0000064B  0000-0000-0000-0000
MSR 0000064C  0000-0000-0000-000C
MSR 00000690  0000-0000-0000-0000
MSR 000006B0  0000-0000-0100-0000
MSR 000006B1  0000-0000-0100-0000
MSR 00000770  0000-0000-0000-0001
MSR 00000771  0000-0000-010D-0D27
MSR 00000772  0000-019E-B200-2701
MSR 00000773  0000-0000-0000-0005
MSR 00000774  0000-059E-B200-2701
MSR 00000777  0000-0000-0000-0004


Motherboard

 
Motherboard Properties:
Motherboard ID  <DMI>
Motherboard Name  LG 17Z90N-V.AA76C
 
Front Side Bus Properties:
Bus Type  Intel QPI
Real Clock  100 MHz
Effective Clock  100 MHz
 
Memory Bus Properties:
Bus Type  Dual LPDDR4 SDRAM
Bus Width  64-bit
DRAM:FSB Ratio  24:3
Real Clock  800 MHz (QDR)
Effective Clock  3200 MHz
Bandwidth  25600 MB/s
 
Chipset Bus Properties:
Bus Type  Intel Direct Media Interface v3.0


Memory

 
Physical Memory:
Total  16094 MB
Used  3385 MB
Free  12709 MB
Utilization  21 %
 
Virtual Memory:
Total  32478 MB
Used  3329 MB
Free  29149 MB
Utilization  10 %
 
Paging File:
Paging File  C:\pagefile.sys
Current Size  16384 MB
Current / Peak Usage  0 MB / 1 MB
Utilization  0 %
 
Physical Address Extension (PAE):
Supported by Operating System  Yes
Supported by CPU  Yes
Active  Yes


Chipset

 
[ North Bridge: Intel Ice Lake-U IMC ]
 
North Bridge Properties:
North Bridge  Intel Ice Lake-U IMC
Supported Memory Types  DDR4-1333, DDR4-1600, DDR4-1866, DDR4-2133, DDR4-2400, DDR4-2667, DDR4-2933, DDR4-3200, DDR4-3466, DDR4-3733 SDRAM
Maximum Memory Amount  32 GB
Revision  03
Process Technology  10 nm
VT-d  Supported
Extended APIC (x2APIC)  Supported
 
Memory Controller:
Type  Dual Channel (64-bit)
Active Mode  Dual Channel (64-bit)
 
Memory Timings:
CAS Latency (CL)  22T
RAS To CAS Delay (tRCD)  22T
RAS Precharge (tRP)  22T
RAS Active Time (tRAS)  52T
Row Refresh Cycle Time (tRFC)  880T
Command Rate (CR)  1T
RAS To RAS Delay (tRRD)  Same Bank Group: 11T, Diff. Bank Group: 9T
Write Recovery Time (tWR)  24T
Read To Read Delay (tRTR)  Different Rank: 8T, Different DIMM: 10T, Same Bank Group: 8T, Diff. Bank Group: 4T
Read To Write Delay (tRTW)  Different Rank: 12T, Different DIMM: 12T, Same Bank Group: 12T, Diff. Bank Group: 12T
Write To Read Delay (tWTR)  Different Rank: 6T, Different DIMM: 6T, Same Bank Group: 38T, Diff. Bank Group: 30T
Write To Write Delay (tWTW)  Different Rank: 8T, Different DIMM: 8T, Same Bank Group: 8T, Diff. Bank Group: 4T
Read To Precharge Delay (tRTP)  12T
Write To Precharge Delay (tWTP)  48T
Four Activate Window Delay (tFAW)  48T
Write CAS Latency (tWCL)  20T
CKE Min. Pulse Width (tCKE)  8T
Refresh Period (tREF)  12480T
Burst Length (BL)  8
 
Error Correction:
ECC  Not Supported
ChipKill ECC  Not Supported
RAID  Not Supported
ECC Scrubbing  Not Supported
 
Memory Slots:
DRAM Slot #1  8 GB (LPDDR4 SDRAM)
DRAM Slot #2  8 GB (LPDDR4 SDRAM)
 
Integrated Graphics Controller:
Graphics Controller Type  Intel HD Graphics
Graphics Controller Status  Enabled
 
Chipset Manufacturer:
Company Name  Intel Corporation
Product Information  https://www.intel.com/products/chipsets
Driver Download  https://www.intel.com/support/chipsets
BIOS Upgrades  http://www.aida64.com/goto/?p=biosupdates
Driver Update  http://www.aida64.com/goto/?p=drvupdates
 
[ South Bridge: Intel Ice Point-LP ]
 
South Bridge Properties:
South Bridge  Intel Ice Point-LP
Revision / Stepping  30 / D0
 
High Definition Audio:
Codec Name  Conexant CX8200
Codec ID  14F12008h / 18540370h
Codec Revision  1001h
Codec Type  Audio
 
High Definition Audio:
Codec Name  Intel Ice Point HDMI
Codec ID  8086280Fh / 80860101h
Codec Revision  1000h
Codec Type  Audio
 
PCI Express Controller:
PCI-E 2.0 x4 port #9  In Use @ x4 (Samsung NVMe SSD Controller)
PCI-E 2.0 x4 port #13  In Use @ x4 (Realtek RTS5763DL PCIe 3.0 x4 NVMe 1.3 SSD Controller)
 
Chipset Manufacturer:
Company Name  Intel Corporation
Product Information  https://www.intel.com/products/chipsets
Driver Download  https://www.intel.com/support/chipsets
BIOS Upgrades  http://www.aida64.com/goto/?p=biosupdates
Driver Update  http://www.aida64.com/goto/?p=drvupdates


BIOS

 
BIOS Properties:
BIOS Type  Unknown
BIOS Version  C2ZE0135 X64
SMBIOS Version  3.1
UEFI Boot  Yes
Secure Boot  Enabled
System BIOS Date  12/26/2019
Video BIOS Date  Unknown


ACPI

 
[ APIC: Multiple APIC Description Table ]
 
ACPI Table Properties:
ACPI Signature  APIC
Table Description  Multiple APIC Description Table
Memory Address  00000000-37F2A000h
Table Length  300 bytes
OEM ID  LGE
OEM Table ID  LGPC
OEM Revision  20170001h
Creator ID  PTEC
Creator Revision  00000002h
Local APIC Address  FEE00000h
 
Processor Local APIC:
ACPI Processor ID  01h
APIC ID  00h
Status  Enabled
 
Processor Local APIC:
ACPI Processor ID  02h
APIC ID  02h
Status  Enabled
 
Processor Local APIC:
ACPI Processor ID  03h
APIC ID  04h
Status  Enabled
 
Processor Local APIC:
ACPI Processor ID  04h
APIC ID  06h
Status  Enabled
 
Processor Local APIC:
ACPI Processor ID  05h
APIC ID  01h
Status  Enabled
 
Processor Local APIC:
ACPI Processor ID  06h
APIC ID  03h
Status  Enabled
 
Processor Local APIC:
ACPI Processor ID  07h
APIC ID  05h
Status  Enabled
 
Processor Local APIC:
ACPI Processor ID  08h
APIC ID  07h
Status  Enabled
 
Processor Local APIC:
ACPI Processor ID  09h
APIC ID  FFh
Status  Disabled
 
Processor Local APIC:
ACPI Processor ID  0Ah
APIC ID  FFh
Status  Disabled
 
Processor Local APIC:
ACPI Processor ID  0Bh
APIC ID  FFh
Status  Disabled
 
Processor Local APIC:
ACPI Processor ID  0Ch
APIC ID  FFh
Status  Disabled
 
Processor Local APIC:
ACPI Processor ID  0Dh
APIC ID  FFh
Status  Disabled
 
Processor Local APIC:
ACPI Processor ID  0Eh
APIC ID  FFh
Status  Disabled
 
Processor Local APIC:
ACPI Processor ID  0Fh
APIC ID  FFh
Status  Disabled
 
Processor Local APIC:
ACPI Processor ID  10h
APIC ID  FFh
Status  Disabled
 
I/O APIC:
I/O APIC ID  02h
I/O APIC Address  FEC00000h
Global System Interrupt Base  00000000h
 
Interrupt Source Override:
Bus  ISA
Source  IRQ0
Global System Interrupt  00000002h
Polarity  Conforms to the specifications of the bus
Trigger Mode  Conforms to the specifications of the bus
 
Interrupt Source Override:
Bus  ISA
Source  IRQ9
Global System Interrupt  00000009h
Polarity  Active High
Trigger Mode  Level-Triggered
 
Local APIC NMI:
ACPI Processor ID  01h
Local ACPI LINT#  01h
Polarity  Active High
Trigger Mode  Edge-Triggered
 
Local APIC NMI:
ACPI Processor ID  02h
Local ACPI LINT#  01h
Polarity  Active High
Trigger Mode  Edge-Triggered
 
Local APIC NMI:
ACPI Processor ID  03h
Local ACPI LINT#  01h
Polarity  Active High
Trigger Mode  Edge-Triggered
 
Local APIC NMI:
ACPI Processor ID  04h
Local ACPI LINT#  01h
Polarity  Active High
Trigger Mode  Edge-Triggered
 
Local APIC NMI:
ACPI Processor ID  05h
Local ACPI LINT#  01h
Polarity  Active High
Trigger Mode  Edge-Triggered
 
Local APIC NMI:
ACPI Processor ID  06h
Local ACPI LINT#  01h
Polarity  Active High
Trigger Mode  Edge-Triggered
 
Local APIC NMI:
ACPI Processor ID  07h
Local ACPI LINT#  01h
Polarity  Active High
Trigger Mode  Edge-Triggered
 
Local APIC NMI:
ACPI Processor ID  08h
Local ACPI LINT#  01h
Polarity  Active High
Trigger Mode  Edge-Triggered
 
Local APIC NMI:
ACPI Processor ID  09h
Local ACPI LINT#  01h
Polarity  Active High
Trigger Mode  Edge-Triggered
 
Local APIC NMI:
ACPI Processor ID  0Ah
Local ACPI LINT#  01h
Polarity  Active High
Trigger Mode  Edge-Triggered
 
Local APIC NMI:
ACPI Processor ID  0Bh
Local ACPI LINT#  01h
Polarity  Active High
Trigger Mode  Edge-Triggered
 
Local APIC NMI:
ACPI Processor ID  0Ch
Local ACPI LINT#  01h
Polarity  Active High
Trigger Mode  Edge-Triggered
 
Local APIC NMI:
ACPI Processor ID  0Dh
Local ACPI LINT#  01h
Polarity  Active High
Trigger Mode  Edge-Triggered
 
Local APIC NMI:
ACPI Processor ID  0Eh
Local ACPI LINT#  01h
Polarity  Active High
Trigger Mode  Edge-Triggered
 
Local APIC NMI:
ACPI Processor ID  0Fh
Local ACPI LINT#  01h
Polarity  Active High
Trigger Mode  Edge-Triggered
 
Local APIC NMI:
ACPI Processor ID  10h
Local ACPI LINT#  01h
Polarity  Active High
Trigger Mode  Edge-Triggered
 
[ BATB: Unknown ]
 
ACPI Table Properties:
ACPI Signature  BATB
Table Description  Unknown
Memory Address  00000000-37D02000h
Table Length  74 bytes
OEM ID  LGE
OEM Table ID  LGPC
OEM Revision  00000000h
Creator ID  PTEC
Creator Revision  00000002h
 
[ BGRT: Boot Graphics Resource Table ]
 
ACPI Table Properties:
ACPI Signature  BGRT
Table Description  Boot Graphics Resource Table
Memory Address  00000000-368FE000h
Table Length  56 bytes
OEM ID  LGE
OEM Table ID  LGPC
OEM Revision  20170001h
Creator ID  PTEC
Creator Revision  00000002h
 
[ BOOT: Simple Boot Flag Table ]
 
ACPI Table Properties:
ACPI Signature  BOOT
Table Description  Simple Boot Flag Table
Memory Address  00000000-37EE6000h
Table Length  40 bytes
OEM ID  LGE
OEM Table ID  LGPC
OEM Revision  00000002h
Creator ID  PTEC
Creator Revision  00000002h
 
[ DBG2: Debug Port Table Type 2 ]
 
ACPI Table Properties:
ACPI Signature  DBG2
Table Description  Debug Port Table Type 2
Memory Address  00000000-37EDB000h
Table Length  84 bytes
OEM ID  LGE
OEM Table ID  LGPC
OEM Revision  20170001h
Creator ID  PTEC
Creator Revision  00000002h
 
[ DBGP: Debug Port Table ]
 
ACPI Table Properties:
ACPI Signature  DBGP
Table Description  Debug Port Table
Memory Address  00000000-37EDC000h
Table Length  52 bytes
OEM ID  LGE
OEM Table ID  LGPC
OEM Revision  20170001h
Creator ID  PTEC
Creator Revision  00000002h
 
[ DMAR: DMA Remapping Table ]
 
ACPI Table Properties:
ACPI Signature  DMAR
Table Description  DMA Remapping Table
Memory Address  00000000-36900000h
Table Length  176 bytes
OEM ID  LGE
OEM Table ID  LGPC
OEM Revision  00000002h
Creator ID  PTEC
Creator Revision  00000002h
 
[ DSDT: Differentiated System Description Table ]
 
ACPI Table Properties:
ACPI Signature  DSDT
Table Description  Differentiated System Description Table
Memory Address  00000000-37EEE000h
Table Length  239264 bytes
OEM ID  LGE
OEM Table ID  LGPC
OEM Revision  20170001h
Creator ID  INTL
Creator Revision  20160422h
 
nVIDIA SLI:
SLI Certification  Not Present
PCI 0-0-0-0 (Direct I/O)  8086-8A12 (Intel)
PCI 0-0-0-0 (HAL)  8086-8A12 (Intel)
 
Lucid Virtu:
Virtu Certification  Not Present
 
[ ECDT: Embedded Controller Boot Resources Table ]
 
ACPI Table Properties:
ACPI Signature  ECDT
Table Description  Embedded Controller Boot Resources Table
Memory Address  00000000-37F2D000h
Table Length  105 bytes
OEM ID  LGE
OEM Table ID  LGPC
OEM Revision  20170001h
Creator ID  PTEC
Creator Revision  00000002h
 
[ FACP: Fixed ACPI Description Table ]
 
ACPI Table Properties:
ACPI Signature  FACP
Table Description  Fixed ACPI Description Table
Memory Address  00000000-37F2C000h
Table Length  276 bytes
OEM ID  LGE
OEM Table ID  LGPC
OEM Revision  20170001h
Creator ID  PTEC
Creator Revision  00000002h
FACS Address  3B9D1000h / 00000000-00000000h
DSDT Address  37EEE000h / 00000000-37EEE000h
SMI Command Port  000000B2h
PM Timer  00001808h
 
[ FACS: Firmware ACPI Control Structure ]
 
ACPI Table Properties:
ACPI Signature  FACS
Table Description  Firmware ACPI Control Structure
Memory Address  3B9D1000h
Table Length  64 bytes
Hardware Signature  0AF0E3E2h
Waking Vector  00000000h
Global Lock  00000000h
 
[ FBPT: Firmware Basic Boot Performance Table ]
 
ACPI Table Properties:
ACPI Signature  FBPT
Table Description  Firmware Basic Boot Performance Table
Memory Address  00000000-3A6E2000h
Table Length  56 bytes
 
[ FPDT: Firmware Performance Data Table ]
 
ACPI Table Properties:
ACPI Signature  FPDT
Table Description  Firmware Performance Data Table
Memory Address  00000000-368FD000h
Table Length  68 bytes
OEM ID  LGE
OEM Table ID  LGPC
OEM Revision  20170001h
Creator ID  PTEC
Creator Revision  00000002h
FBPT Address  00000000-3A6E2000h
S3PT Address  00000000-3A709000h
 
[ HPET: IA-PC High Precision Event Timer Table ]
 
ACPI Table Properties:
ACPI Signature  HPET
Table Description  IA-PC High Precision Event Timer Table
Memory Address  00000000-37F2B000h
Table Length  56 bytes
OEM ID  LGE
OEM Table ID  LGPC
OEM Revision  20170001h
Creator ID  PTEC
Creator Revision  00000002h
HPET Address  00000000-FED00000h
Vendor ID  8086h
Revision  01h
Number of Timers  3
Counter Size  64-bit
Minimum Clock Ticks  128
Page Protection  No Guarantee
OEM Attribute  0h
LegacyReplacement IRQ Routing  Supported
 
[ LPIT: Low Power Idle Table ]
 
ACPI Table Properties:
ACPI Signature  LPIT
Table Description  Low Power Idle Table
Memory Address  00000000-37EE2000h
Table Length  148 bytes
OEM ID  LGE
OEM Table ID  LGPC
OEM Revision  20170001h
Creator ID  PTEC
Creator Revision  00000002h
 
Native C-State Instruction Entry Trigger:
Unique ID  0
Status  Enabled
Minimum Residency  30000 us
Worst Case Exit Latency  3000 us
Residency Counter MSR  00000632h
Residency Counter Frequency  TSC
 
Native C-State Instruction Entry Trigger:
Unique ID  1
Status  Enabled
Minimum Residency  30000 us
Worst Case Exit Latency  3000 us
Residency Counter Frequency  10000
 
[ MCFG: Memory Mapped Configuration Space Base Address Description Table ]
 
ACPI Table Properties:
ACPI Signature  MCFG
Table Description  Memory Mapped Configuration Space Base Address Description Table
Memory Address  00000000-37F29000h
Table Length  60 bytes
OEM ID  LGE
OEM Table ID  LGPC
OEM Revision  20170001h
Creator ID  PTEC
Creator Revision  00000002h
Config Space Address  00000000-C0000000h
PCI Segment  0000h
Start Bus Number  00h
End Bus Number  FFh
 
[ MSDM: Microsoft Data Management Table ]
 
ACPI Table Properties:
ACPI Signature  MSDM
Table Description  Microsoft Data Management Table
Memory Address  00000000-37EDA000h
Table Length  85 bytes
OEM ID  LGE
OEM Table ID  LGPC
OEM Revision  00000000h
Creator ID  PTEC
Creator Revision  00000002h
SLS Version  1
SLS Data Type  1
SLS Data Length  29
SLS Data  KG4NF-VHXBD-VH2MD-7BMMD-H22HF
 
[ NHLT: Non-HD Audio Endpoint Description Table ]
 
ACPI Table Properties:
ACPI Signature  NHLT
Table Description  Non-HD Audio Endpoint Description Table
Memory Address  00000000-37EE7000h
Table Length  6001 bytes
OEM ID  LGE
OEM Table ID  LGPC
OEM Revision  20170001h
Creator ID  PTEC
Creator Revision  00000002h
Endpoint Count  1
 
Endpoint #0:
Link Type  02h (DMIC)
Instance ID  00h
Device Type  00h (BT)
Device ID  8086-AE20
Subsystem ID  0001-0000
Revision  0001h
Direction  01h
Virtual Bus ID  00h
 
[ PMCT: Unknown ]
 
ACPI Table Properties:
ACPI Signature  PMCT
Table Description  Unknown
Memory Address  00000000-37F41000h
Table Length  83 bytes
OEM ID  LGE
OEM Table ID  LGPC
OEM Revision  00000000h
Creator ID  PTEC
Creator Revision  00000002h
 
[ S3PT: S3 Performance Table ]
 
ACPI Table Properties:
ACPI Signature  S3PT
Table Description  S3 Performance Table
Memory Address  00000000-3A709000h
Table Length  52 bytes
 
[ SSDT: Secondary System Description Table ]
 
ACPI Table Properties:
ACPI Signature  SSDT
Table Description  Secondary System Description Table
Memory Address  00000000-37EDD000h
Table Length  4027 bytes
OEM ID  LGE
OEM Table ID  TbtTypeC
OEM Revision  00000000h
Creator ID  INTL
Creator Revision  20160527h
 
[ SSDT: Secondary System Description Table ]
 
ACPI Table Properties:
ACPI Signature  SSDT
Table Description  Secondary System Description Table
Memory Address  00000000-37EDE000h
Table Length  10016 bytes
OEM ID  LGE
OEM Table ID  PtidDevc
OEM Revision  00001000h
Creator ID  INTL
Creator Revision  20160527h
 
[ SSDT: Secondary System Description Table ]
 
ACPI Table Properties:
ACPI Signature  SSDT
Table Description  Secondary System Description Table
Memory Address  00000000-37EE3000h
Table Length  5541 bytes
OEM ID  LGE
OEM Table ID  UsbCTabl
OEM Revision  00001000h
Creator ID  INTL
Creator Revision  20160527h
 
[ SSDT: Secondary System Description Table ]
 
ACPI Table Properties:
ACPI Signature  SSDT
Table Description  Secondary System Description Table
Memory Address  00000000-37EE9000h
Table Length  3053 bytes
OEM ID  LGE
OEM Table ID  xh_icud4
OEM Revision  00000000h
Creator ID  INTL
Creator Revision  20160527h
 
[ SSDT: Secondary System Description Table ]
 
ACPI Table Properties:
ACPI Signature  SSDT
Table Description  Secondary System Description Table
Memory Address  00000000-37EEA000h
Table Length  11336 bytes
OEM ID  LGE
OEM Table ID  U_Rvp
OEM Revision  00001000h
Creator ID  INTL
Creator Revision  20160527h
 
[ SSDT: Secondary System Description Table ]
 
ACPI Table Properties:
ACPI Signature  SSDT
Table Description  Secondary System Description Table
Memory Address  00000000-37EED000h
Table Length  271 bytes
OEM ID  LGE
OEM Table ID  Ther_Rvp
OEM Revision  00001000h
Creator ID  INTL
Creator Revision  20160527h
 
[ SSDT: Secondary System Description Table ]
 
ACPI Table Properties:
ACPI Signature  SSDT
Table Description  Secondary System Description Table
Memory Address  00000000-37F30000h
Table Length  1554 bytes
OEM ID  LGE
OEM Table ID  Tpm2Tabl
OEM Revision  00001000h
Creator ID  INTL
Creator Revision  20160527h
 
[ SSDT: Secondary System Description Table ]
 
ACPI Table Properties:
ACPI Signature  SSDT
Table Description  Secondary System Description Table
Memory Address  00000000-37F31000h
Table Length  45739 bytes
OEM ID  LGE
OEM Table ID  TcssSsdt
OEM Revision  00001000h
Creator ID  INTL
Creator Revision  20160527h
 
[ SSDT: Secondary System Description Table ]
 
ACPI Table Properties:
ACPI Signature  SSDT
Table Description  Secondary System Description Table
Memory Address  00000000-37F3D000h
Table Length  13209 bytes
OEM ID  LGE
OEM Table ID  SaSsdt
OEM Revision  00003000h
Creator ID  INTL
Creator Revision  20160527h
 
[ SSDT: Secondary System Description Table ]
 
ACPI Table Properties:
ACPI Signature  SSDT
Table Description  Secondary System Description Table
Memory Address  00000000-37F43000h
Table Length  23296 bytes
OEM ID  LGE
OEM Table ID  DptfTabl
OEM Revision  00001000h
Creator ID  INTL
Creator Revision  20160527h
 
[ SSDT: Secondary System Description Table ]
 
ACPI Table Properties:
ACPI Signature  SSDT
Table Description  Secondary System Description Table
Memory Address  00000000-37F7F000h
Table Length  18322 bytes
OEM ID  LGE
OEM Table ID  FwiTable
OEM Revision  00001000h
Creator ID  INTL
Creator Revision  20160527h
 
[ SSDT: Secondary System Description Table ]
 
ACPI Table Properties:
ACPI Signature  SSDT
Table Description  Secondary System Description Table
Memory Address  00000000-37F84000h
Table Length  3766 bytes
OEM ID  LGE
OEM Table ID  XnSsdt
OEM Revision  00003000h
Creator ID  INTL
Creator Revision  20160527h
 
[ SSDT: Secondary System Description Table ]
 
ACPI Table Properties:
ACPI Signature  SSDT
Table Description  Secondary System Description Table
Memory Address  00000000-37F86000h
Table Length  7008 bytes
OEM ID  LGE
OEM Table ID  CpuSsdt
OEM Revision  00003000h
Creator ID  INTL
Creator Revision  20160527h
 
[ TPM2: TPM 2.0 Hardware Interface Table ]
 
ACPI Table Properties:
ACPI Signature  TPM2
Table Description  TPM 2.0 Hardware Interface Table
Memory Address  00000000-37F2F000h
Table Length  52 bytes
OEM ID  LGE
OEM Table ID  LGPC
OEM Revision  20170001h
Creator ID  PTEC
Creator Revision  00000002h
 
[ UEFI: UEFI ACPI Boot Optimization Table ]
 
ACPI Table Properties:
ACPI Signature  UEFI
Table Description  UEFI ACPI Boot Optimization Table
Memory Address  00000000-3B9CE000h
Table Length  238 bytes
OEM ID  LGE
OEM Table ID  LGPC
OEM Revision  00000001h
Creator ID  PTEC
Creator Revision  00000002h
 
[ WSMT: Windows SMM Security Mitigations Table ]
 
ACPI Table Properties:
ACPI Signature  WSMT
Table Description  Windows SMM Security Mitigations Table
Memory Address  00000000-37EE1000h
Table Length  40 bytes
OEM ID  LGE
OEM Table ID  LGPC
OEM Revision  20170001h
Creator ID  PTEC
Creator Revision  00000002h
 
[ XSDT: Extended System Description Table ]
 
ACPI Table Properties:
ACPI Signature  XSDT
Table Description  Extended System Description Table
Memory Address  00000000-3BBFB188h
Table Length  292 bytes
OEM ID  LGE
OEM Table ID  LGPC
OEM Revision  20170001h
Creator ID  PTEC
Creator Revision  00000002h
XSDT Entry #0  00000000-37F2C000h (FACP)
XSDT Entry #1  00000000-37F86000h (SSDT)
XSDT Entry #2  00000000-37F84000h (SSDT)
XSDT Entry #3  00000000-37F7F000h (SSDT)
XSDT Entry #4  00000000-37F43000h (SSDT)
XSDT Entry #5  00000000-37F41000h (PMCT)
XSDT Entry #6  00000000-37F3D000h (SSDT)
XSDT Entry #7  00000000-37F31000h (SSDT)
XSDT Entry #8  00000000-37F30000h (SSDT)
XSDT Entry #9  00000000-37F2F000h (TPM2)
XSDT Entry #10  00000000-37F2D000h (ECDT)
XSDT Entry #11  00000000-37F2B000h (HPET)
XSDT Entry #12  00000000-37F2A000h (APIC)
XSDT Entry #13  00000000-37F29000h (MCFG)
XSDT Entry #14  00000000-37EED000h (SSDT)
XSDT Entry #15  00000000-37EEA000h (SSDT)
XSDT Entry #16  00000000-37EE9000h (SSDT)
XSDT Entry #17  00000000-37EE7000h (NHLT)
XSDT Entry #18  00000000-37EE6000h (BOOT)
XSDT Entry #19  00000000-37EE3000h (SSDT)
XSDT Entry #20  00000000-37EE2000h (LPIT)
XSDT Entry #21  00000000-37EE1000h (WSMT)
XSDT Entry #22  00000000-37EDE000h (SSDT)
XSDT Entry #23  00000000-37EDD000h (SSDT)
XSDT Entry #24  00000000-37EDC000h (DBGP)
XSDT Entry #25  00000000-37EDB000h (DBG2)
XSDT Entry #26  00000000-37EDA000h (MSDM)
XSDT Entry #27  00000000-37D02000h (BATB)
XSDT Entry #28  00000000-36900000h (DMAR)
XSDT Entry #29  00000000-368FE000h (BGRT)
XSDT Entry #30  00000000-3B9CE000h (UEFI)
XSDT Entry #31  00000000-368FD000h (FPDT)


Operating System

 
Operating System Properties:
OS Name  Microsoft Windows 10 Home
OS Language  English (United States)
OS Installer Language  English (United States)
OS Kernel Type  Multiprocessor Free (64-bit)
OS Version  10.0.18363.720 (Win10 19H2 [1909] November 2019 Update)
OS Service Pack  -
OS Installation Date  3/18/2020
OS Root  C:\Windows
 
License Information:
Registered Owner  redblue
Registered Organization  LG
Product ID  00325-96638-23859-AAOEM
Product Key  KG4NF-VHXBD-VH2MD-7BMMD-H22HF
Product Activation (WPA)  Not Required
 
Current Session:
Computer Name  DESKTOP-UT5JEJD
User Name  redblue
Logon Domain  DESKTOP-UT5JEJD
UpTime  5495 sec (0 days, 1 hours, 31 min, 35 sec)
 
Components Version:
Common Controls  6.16
Windows Mail  -
Windows Media Player  12.0.18362.1 (WinBuild.160101.0800)
Windows Messenger  -
MSN Messenger  -
Internet Information Services (IIS)  -
.NET Framework  4.8.4121.0 built by: NET48REL1LAST_C
Novell Client  -
DirectX  DirectX 12.0
OpenGL  10.0.18362.387 (WinBuild.160101.0800)
ASPI  -
 
Operating System Features:
Debug Version  No
DBCS Version  No
Domain Controller  No
Security Present  No
Network Present  Yes
Remote Session  No
Safe Mode  No
Slow Processor  No
Terminal Services  Yes


Processes

 
Process Name  Process File Name  Type  Used Memory  Used Swap
aesm_service.exe  C:\Windows\System32\DriverStore\FileRepository\sgx_psw.inf_amd64_ea574a1b555312cb\aesm_service.exe  64-bit  13400 KB  2 KB
aida64.exe  C:\Users\redblue\Desktop\AIDA64Portable-6.20.5353\App\AIDA64Extreme\aida64.exe  32-bit  94 MB  75 KB
AIDA64ExtremePortable.exe  C:\Users\redblue\Desktop\AIDA64Portable-6.20.5353\AIDA64ExtremePortable.exe  32-bit  13120 KB  34 KB
ApplicationFrameHost.exe  C:\Windows\system32\ApplicationFrameHost.exe  64-bit  33568 KB  15 KB
audiodg.exe  C:\Windows\system32\AUDIODG.EXE  64-bit  18884 KB  12 KB
ChsIME.exe  C:\Windows\System32\InputMethod\CHS\ChsIME.exe  64-bit  8100 KB  1 KB
conhost.exe  C:\Windows\system32\conhost.exe  64-bit  10444 KB  6 KB
conhost.exe  C:\Windows\system32\conhost.exe  64-bit  10836 KB  6 KB
csrss.exe    64-bit  6020 KB  2 KB
csrss.exe    64-bit  5924 KB  2 KB
ctfmon.exe  C:\Windows\system32\ctfmon.exe  64-bit  15836 KB  3 KB
CxAudioSvc.exe  C:\Windows\CxSvc\CxAudioSvc.exe  64-bit  31120 KB  18 KB
CxAudMsg64.exe  C:\Windows\System32\CxAudMsg64.exe  64-bit  8712 KB  1 KB
CxUIUSvc32.exe  C:\Windows\System32\CxUIUSvc32.exe  32-bit  6832 KB  1 KB
CxUtilSvc.exe  C:\Windows\CxSvc\CxUtilSvc.exe  32-bit  7948 KB  1 KB
demon.exe  C:\Users\redblue\AppData\Roaming\Panda\demon\demon.exe  32-bit  5784 KB  1 KB
DeviceManager.exe  C:\Program Files (x86)\LG Software\LG Device Manager\DeviceManager.exe  32-bit  27404 KB  14 KB
dllhost.exe  C:\Windows\system32\DllHost.exe  64-bit  11796 KB  3 KB
dllhost.exe  C:\Windows\system32\DllHost.exe  64-bit  10388 KB  3 KB
doom.exe  C:\Users\redblue\AppData\Roaming\Panda\proxy\doom.exe  32-bit  8536 KB  1 KB
DtsApo4Service.exe  C:\Windows\System32\DTS\PC\APO4x\DtsApo4Service.exe  64-bit  13828 KB  6 KB
dwm.exe  C:\Windows\System32\dwm.exe  64-bit  134 MB  98 KB
esif_uf.exe  C:\Windows\System32\DriverStore\FileRepository\dptf_cpu.inf_amd64_4a3ae74cfa6c37d6\esif_uf.exe  64-bit  5960 KB  1 KB
explorer.exe  C:\Windows\Explorer.EXE  64-bit  134 MB  61 KB
fontdrvhost.exe  C:\Windows\system32\fontdrvhost.exe  64-bit  3672 KB  1 KB
fontdrvhost.exe  C:\Windows\System32\fontdrvhost.exe  64-bit  15336 KB  4 KB
GoogleCrashHandler.exe  C:\Program Files (x86)\Google\Update\1.3.35.442\GoogleCrashHandler.exe  64-bit  1116 KB  1 KB
GoogleCrashHandler64.exe  C:\Program Files (x86)\Google\Update\1.3.35.442\GoogleCrashHandler64.exe  64-bit  988 KB  1 KB
GoogleUpdate.exe  C:\Program Files (x86)\Google\Update\GoogleUpdate.exe  64-bit  2516 KB  1 KB
HotkeyManager.exe  C:\Program Files (x86)\LG Software\LG OSD\HotkeyManager.exe  64-bit  13712 KB  3 KB
IGCC.exe  C:\Program Files\WindowsApps\AppUp.IntelGraphicsExperience_1.100.2727.0_x64__8j3eq9eme6ctt\IGCC.exe  64-bit  52040 KB  16 KB
IGCCTray.exe  C:\Program Files\WindowsApps\AppUp.IntelGraphicsExperience_1.100.2727.0_x64__8j3eq9eme6ctt\GCP.ML.BackgroundSysTray\IGCCTray.exe  64-bit  77712 KB  36 KB
igfxCUIServiceN.exe  C:\Windows\System32\DriverStore\FileRepository\cui_dch.inf_amd64_f51939e52b944f4b\igfxCUIServiceN.exe  64-bit  9836 KB  2 KB
igfxEMN.exe  C:\Windows\System32\DriverStore\FileRepository\cui_dch.inf_amd64_f51939e52b944f4b\igfxEMN.exe  64-bit  19620 KB  4 KB
IntelCpHDCPSvc.exe  C:\Windows\System32\DriverStore\FileRepository\iigd_dch.inf_amd64_38ad448c99141fd9\IntelCpHDCPSvc.exe  64-bit  6832 KB  1 KB
jhi_service.exe  C:\Windows\System32\DriverStore\FileRepository\dal.inf_amd64_d52c63e0e1c02c96\jhi_service.exe  64-bit  6280 KB  1 KB
LGControlCenterRTManager.exe  C:\Program Files (x86)\LG Software\LG Control Center\LGControlCenterRTManager.exe  32-bit  28032 KB  10 KB
LGControlCenterSVC.exe  C:\Program Files (x86)\LG Software\LG Control Center\LGControlCenterSVC.exe  32-bit  20852 KB  8 KB
LGUWPService.exe  C:\Windows\System32\DriverStore\FileRepository\lguwpservice.inf_amd64_00893e2c6863757c\LGUWPService.exe  32-bit  34380 KB  13 KB
LMS.exe  C:\Windows\System32\DriverStore\FileRepository\lms.inf_amd64_cfcf51bb7b370ad0\LMS.exe  32-bit  12572 KB  3 KB
lsass.exe  C:\Windows\system32\lsass.exe  64-bit  17936 KB  6 KB
Memory Compression    64-bit  33796 KB  0 KB
MicrosoftEdgeUpdate.exe  C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe  64-bit  3132 KB  1 KB
MsMpEng.exe    64-bit  282 MB  278 KB
NisSrv.exe    64-bit  11728 KB  6 KB
OfficeClickToRun.exe  C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe  64-bit  55816 KB  32 KB
OneDrive.exe  C:\Users\redblue\AppData\Local\Microsoft\OneDrive\OneDrive.exe  32-bit  70216 KB  27 KB
Panda.exe  C:\Users\redblue\AppData\Roaming\Panda\Panda.exe  32-bit  76800 KB  79 KB
PlatformMgrService.exe  C:\Windows\System32\DriverStore\FileRepository\platmgrsvc.inf_amd64_bb3c63c4264991d4\PlatformMgrService.exe  64-bit  20900 KB  11 KB
QQProtect.exe  C:\Program Files (x86)\Common Files\Tencent\QQProtect\Bin\QQProtect.exe  32-bit  21124 KB  16 KB
ReaderMode.exe  C:\Program Files (x86)\LG Software\LG Reader Mode\ReaderMode.exe  32-bit  11788 KB  2 KB
Registry    64-bit  76368 KB  7 KB
RuntimeBroker.exe  C:\Windows\System32\RuntimeBroker.exe  64-bit  20620 KB  5 KB
RuntimeBroker.exe  C:\Windows\System32\RuntimeBroker.exe  64-bit  26260 KB  6 KB
RuntimeBroker.exe  C:\Windows\System32\RuntimeBroker.exe  64-bit  39220 KB  13 KB
RuntimeBroker.exe  C:\Windows\System32\RuntimeBroker.exe  64-bit  19364 KB  4 KB
RuntimeBroker.exe  C:\Windows\System32\RuntimeBroker.exe  64-bit  10312 KB  2 KB
RuntimeBroker.exe  C:\Windows\System32\RuntimeBroker.exe  64-bit  15884 KB  2 KB
RuntimeBroker.exe  C:\Windows\System32\RuntimeBroker.exe  64-bit  15192 KB  2 KB
SASrv.exe  C:\Program Files\WindowsApps\22094SynapticsIncorporate.SmartAudio2_1.1.51.0_x86__qt57b6kdvhcfw\SAII\SASrv.exe  32-bit  6296 KB  1 KB
SearchFilterHost.exe  C:\Windows\system32\SearchFilterHost.exe  64-bit  8256 KB  1 KB
SearchIndexer.exe  C:\Windows\system32\SearchIndexer.exe  64-bit  49792 KB  33 KB
SearchProtocolHost.exe  C:\Windows\system32\SearchProtocolHost.exe  64-bit  20192 KB  4 KB
SearchUI.exe  C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe  64-bit  178 MB  101 KB
SecurityHealthService.exe    64-bit  14248 KB  4 KB
SecurityHealthSystray.exe  C:\Windows\System32\SecurityHealthSystray.exe  64-bit  8624 KB  1 KB
services.exe    64-bit  10548 KB  5 KB
SessionService.exe  C:\Windows\System32\drivers\SessionService.exe  64-bit  2632 KB  0 KB
SgrmBroker.exe    64-bit  6368 KB  3 KB
ShellExperienceHost.exe  C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe  64-bit  51764 KB  12 KB
sihost.exe  C:\Windows\system32\sihost.exe  64-bit  25916 KB  6 KB
SkypeApp.exe  C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.35.152.0_x64__kzf8qxf38zg5c\SkypeApp.exe  64-bit  10672 KB  14 KB
SkypeBackgroundHost.exe  C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.35.152.0_x64__kzf8qxf38zg5c\SkypeBackgroundHost.exe  64-bit  2444 KB  1 KB
SmartAudio.exe  C:\Program Files\WindowsApps\22094SynapticsIncorporate.SmartAudio2_1.1.51.0_x86__qt57b6kdvhcfw\SAII\SmartAudio.exe  32-bit  90 MB  53 KB
smartscreen.exe  C:\Windows\System32\smartscreen.exe  64-bit  22248 KB  7 KB
smss.exe    64-bit  1164 KB  1 KB
SocketHeciServer.exe  C:\Windows\System32\DriverStore\FileRepository\iclsclient.inf_amd64_e3f9b958faa255f1\lib\SocketHeciServer.exe  64-bit  7668 KB  1 KB
splwow64.exe  C:\Windows\splwow64.exe  64-bit  11200 KB  2 KB
spoolsv.exe  C:\Windows\System32\spoolsv.exe  64-bit  21244 KB  6 KB
sppsvc.exe    64-bit  11840 KB  3 KB
sspd.exe  C:\Users\redblue\AppData\Roaming\Panda\sspd.exe  32-bit  9268 KB  6 KB
StartMenuExperienceHost.exe  C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe  64-bit  85900 KB  28 KB
svchost.exe  C:\Windows\System32\svchost.exe  64-bit  5708 KB  1 KB
svchost.exe  C:\Windows\system32\svchost.exe  64-bit  16224 KB  8 KB
svchost.exe  C:\Windows\system32\svchost.exe  64-bit  14016 KB  4 KB
svchost.exe  C:\Windows\System32\svchost.exe  64-bit  8800 KB  2 KB
svchost.exe  C:\Windows\system32\svchost.exe  64-bit  10864 KB  1 KB
svchost.exe  C:\Windows\system32\svchost.exe  64-bit  8576 KB  2 KB
svchost.exe  C:\Windows\system32\svchost.exe  64-bit  7392 KB  1 KB
svchost.exe  C:\Windows\System32\svchost.exe  64-bit  11760 KB  2 KB
svchost.exe  C:\Windows\system32\svchost.exe  64-bit  9640 KB  2 KB
svchost.exe  C:\Windows\system32\svchost.exe  64-bit  8800 KB  4 KB
svchost.exe  C:\Windows\system32\svchost.exe  64-bit  5976 KB  1 KB
svchost.exe  C:\Windows\system32\svchost.exe  64-bit  10052 KB  2 KB
svchost.exe  C:\Windows\System32\svchost.exe  64-bit  12596 KB  4 KB
svchost.exe  C:\Windows\System32\svchost.exe  64-bit  10880 KB  2 KB
svchost.exe  C:\Windows\system32\svchost.exe  64-bit  12112 KB  2 KB
svchost.exe  C:\Windows\system32\svchost.exe  64-bit  7816 KB  2 KB
svchost.exe  C:\Windows\system32\svchost.exe  64-bit  8988 KB  2 KB
svchost.exe  C:\Windows\system32\svchost.exe  64-bit  18036 KB  4 KB
svchost.exe  C:\Windows\system32\svchost.exe  64-bit  7736 KB  1 KB
svchost.exe  C:\Windows\system32\svchost.exe  64-bit  7120 KB  1 KB
svchost.exe  C:\Windows\System32\svchost.exe  64-bit  17364 KB  13 KB
svchost.exe  C:\Windows\system32\svchost.exe  64-bit  8372 KB  2 KB
svchost.exe  C:\Windows\system32\svchost.exe  64-bit  8412 KB  1 KB
svchost.exe  C:\Windows\system32\svchost.exe  64-bit  11240 KB  2 KB
svchost.exe  C:\Windows\system32\svchost.exe  64-bit  12284 KB  2 KB
svchost.exe  C:\Windows\System32\svchost.exe  64-bit  5816 KB  1 KB
svchost.exe  C:\Windows\system32\svchost.exe  64-bit  13636 KB  3 KB
svchost.exe  C:\Windows\system32\svchost.exe  64-bit  8112 KB  2 KB
svchost.exe  C:\Windows\system32\svchost.exe  64-bit  15684 KB  7 KB
svchost.exe  C:\Windows\system32\svchost.exe  64-bit  9976 KB  2 KB
svchost.exe  C:\Windows\System32\svchost.exe  64-bit  7816 KB  1 KB
svchost.exe  C:\Windows\system32\svchost.exe  64-bit  15396 KB  5 KB
svchost.exe  C:\Windows\system32\svchost.exe  64-bit  18968 KB  5 KB
svchost.exe  C:\Windows\System32\svchost.exe  64-bit  9068 KB  2 KB
svchost.exe  C:\Windows\System32\svchost.exe  64-bit  7640 KB  1 KB
svchost.exe  C:\Windows\system32\svchost.exe  64-bit  9188 KB  1 KB
svchost.exe  C:\Windows\system32\svchost.exe  64-bit  10208 KB  2 KB
svchost.exe  C:\Windows\System32\svchost.exe  64-bit  13688 KB  3 KB
svchost.exe  C:\Windows\System32\svchost.exe  64-bit  6776 KB  1 KB
svchost.exe  C:\Windows\System32\svchost.exe  64-bit  14504 KB  2 KB
svchost.exe  C:\Windows\system32\svchost.exe  64-bit  16204 KB  6 KB
svchost.exe  C:\Windows\system32\svchost.exe  64-bit  18128 KB  8 KB
svchost.exe  C:\Windows\system32\svchost.exe  64-bit  10776 KB  2 KB
svchost.exe  C:\Windows\System32\svchost.exe  64-bit  8060 KB  2 KB
svchost.exe  C:\Windows\system32\svchost.exe  64-bit  11988 KB  2 KB
svchost.exe  C:\Windows\system32\svchost.exe  64-bit  8108 KB  2 KB
svchost.exe  C:\Windows\system32\svchost.exe  64-bit  12784 KB  3 KB
svchost.exe  C:\Windows\System32\svchost.exe  64-bit  29024 KB  14 KB
svchost.exe  C:\Windows\System32\svchost.exe  64-bit  28068 KB  17 KB
svchost.exe  C:\Windows\system32\svchost.exe  64-bit  8704 KB  2 KB
svchost.exe  C:\Windows\system32\svchost.exe  64-bit  18724 KB  8 KB
svchost.exe  C:\Windows\system32\svchost.exe  64-bit  6548 KB  1 KB
svchost.exe  C:\Windows\System32\svchost.exe  64-bit  5584 KB  1 KB
svchost.exe  C:\Windows\system32\svchost.exe  64-bit  21524 KB  4 KB
svchost.exe  C:\Windows\System32\svchost.exe  64-bit  5376 KB  1 KB
svchost.exe  C:\Windows\System32\svchost.exe  64-bit  13036 KB  4 KB
svchost.exe  C:\Windows\System32\svchost.exe  64-bit  5464 KB  1 KB
svchost.exe  C:\Windows\system32\svchost.exe  64-bit  21848 KB  3 KB
svchost.exe  C:\Windows\system32\svchost.exe  64-bit  17048 KB  7 KB
svchost.exe  C:\Windows\System32\svchost.exe  64-bit  12316 KB  3 KB
svchost.exe  C:\Windows\system32\svchost.exe  64-bit  38104 KB  8 KB
svchost.exe  C:\Windows\system32\svchost.exe  64-bit  6516 KB  1 KB
svchost.exe  C:\Windows\system32\svchost.exe  64-bit  7392 KB  1 KB
svchost.exe  C:\Windows\system32\svchost.exe  64-bit  9516 KB  1 KB
svchost.exe  C:\Windows\system32\svchost.exe  64-bit  17108 KB  4 KB
svchost.exe  C:\Windows\system32\svchost.exe  64-bit  14176 KB  3 KB
svchost.exe  C:\Windows\system32\svchost.exe  64-bit  31044 KB  11 KB
svchost.exe  C:\Windows\system32\svchost.exe  64-bit  15120 KB  3 KB
svchost.exe  C:\Windows\system32\svchost.exe  64-bit  9552 KB  3 KB
svchost.exe  C:\Windows\System32\svchost.exe  64-bit  18376 KB  5 KB
svchost.exe  C:\Windows\system32\svchost.exe  64-bit  3880 KB  0 KB
System Idle Process      8 KB  0 KB
System    64-bit  136 KB  0 KB
SystemSettings.exe  C:\Windows\ImmersiveControlPanel\SystemSettings.exe  64-bit  11740 KB  22 KB
taskhostw.exe  C:\Windows\system32\taskhostw.exe  64-bit  15452 KB  6 KB
Taskmgr.exe  C:\Windows\system32\taskmgr.exe  64-bit  51628 KB  23 KB
ThunderboltService.exe  C:\Windows\ThunderboltService.exe  64-bit  15272 KB  10 KB
TIM.exe  C:\Program Files (x86)\Tencent\TIM\Bin\TIM.exe  32-bit  198 MB  141 KB
TXPlatform.exe  C:\Program Files (x86)\Tencent\TIM\Bin\TXPlatform.exe  32-bit  3332 KB  3 KB
WindowsInternal.ComposableShell.Experiences.TextInput.InputApp.exe  C:\Windows\SystemApps\InputApp_cw5n1h2txyewy\WindowsInternal.ComposableShell.Experiences.TextInput.InputApp.exe  64-bit  50436 KB  12 KB
wininit.exe    64-bit  7280 KB  1 KB
winlogon.exe  C:\Windows\System32\WinLogon.exe  64-bit  9968 KB  2 KB
WinStore.App.exe  C:\Program Files\WindowsApps\Microsoft.WindowsStore_11811.1001.18.0_x64__8wekyb3d8bbwe\WinStore.App.exe  64-bit  18056 KB  70 KB
wlanext.exe  C:\Windows\system32\WLANExt.exe  64-bit  5528 KB  1 KB
WmiPrvSE.exe  C:\Windows\system32\wbem\wmiprvse.exe  64-bit  19904 KB  12 KB
WmiPrvSE.exe  C:\Windows\system32\wbem\wmiprvse.exe  64-bit  8648 KB  3 KB
WmiPrvSE.exe  C:\Windows\sysWOW64\wbem\wmiprvse.exe  64-bit  10340 KB  3 KB
WUDFHost.exe  C:\Windows\System32\WUDFHost.exe  64-bit  7900 KB  5 KB
WUDFHost.exe  C:\Windows\System32\WUDFHost.exe  64-bit  21652 KB  9 KB


System Drivers

 
Driver Name  Driver Description  File Name  Version  Type  State
1394ohci  1394 OHCI Compliant Host Controller  1394ohci.sys  10.0.18362.1  Kernel Driver  Stopped
3ware  3ware  3ware.sys  5.1.0.51  Kernel Driver  Stopped
ACPI  Microsoft ACPI Driver  ACPI.sys  10.0.18362.329  Kernel Driver  Running
AcpiDev  ACPI Devices driver  AcpiDev.sys  10.0.18362.1  Kernel Driver  Stopped
acpiex  Microsoft ACPIEx Driver  acpiex.sys  10.0.18362.1  Kernel Driver  Running
acpipagr  ACPI Processor Aggregator Driver  acpipagr.sys  10.0.18362.1  Kernel Driver  Running
AcpiPmi  ACPI Power Meter Driver  acpipmi.sys  10.0.18362.1  Kernel Driver  Stopped
acpitime  ACPI Wake Alarm Driver  acpitime.sys  10.0.18362.1  Kernel Driver  Stopped
Acx01000  Acx01000  Acx01000.sys  10.0.18362.693  Kernel Driver  Stopped
ADP80XX  ADP80XX  ADP80XX.SYS  1.3.0.10769  Kernel Driver  Stopped
AFD  Ancillary Function Driver for Winsock  afd.sys  10.0.18362.693  Kernel Driver  Running
afunix  afunix  afunix.sys  10.0.18362.693  Kernel Driver  Running
ahcache  Application Compatibility Cache  ahcache.sys  10.0.18362.693  Kernel Driver  Running
AIDA64Driver  FinalWire AIDA64 Kernel Driver  kerneld.x64    Kernel Driver  Running
AirModeBtn  LG Airplane Mode Button  AirModeBtn.sys  1.0.1806.3001  Kernel Driver  Running
amdgpio2  AMD GPIO Client Driver  amdgpio2.sys  2.2.0.71  Kernel Driver  Stopped
amdi2c  AMD I2C Controller Service  amdi2c.sys  1.2.0.94  Kernel Driver  Stopped
AmdK8  AMD K8 Processor Driver  amdk8.sys  10.0.18362.693  Kernel Driver  Stopped
AmdPPM  AMD Processor Driver  amdppm.sys  10.0.18362.693  Kernel Driver  Stopped
amdsata  amdsata  amdsata.sys  1.1.3.277  Kernel Driver  Stopped
amdsbs  amdsbs  amdsbs.sys  3.7.1540.43  Kernel Driver  Stopped
amdxata  amdxata  amdxata.sys  1.1.3.277  Kernel Driver  Stopped
ampa  ampa  ampa.sys    Kernel Driver  Stopped
AppID  AppID Driver  appid.sys  10.0.18362.449  Kernel Driver  Stopped
applockerfltr  Smartlocker Filter Driver  applockerfltr.sys  10.0.18362.449  Kernel Driver  Stopped
arcsas  Adaptec SAS/SATA-II RAID Storport's Miniport Driver  arcsas.sys  7.5.0.32048  Kernel Driver  Stopped
AsyncMac  RAS Asynchronous Media Driver  asyncmac.sys  10.0.18362.1  Kernel Driver  Stopped
atapi  IDE Channel  atapi.sys  10.0.18362.693  Kernel Driver  Stopped
b06bdrv  QLogic Network Adapter VBD  bxvbda.sys  7.12.31.105  Kernel Driver  Stopped
bam  Background Activity Moderator Driver  bam.sys  10.0.18362.1  Kernel Driver  Running
BasicDisplay  BasicDisplay  BasicDisplay.sys  10.0.18362.329  Kernel Driver  Running
BasicRender  BasicRender  BasicRender.sys  10.0.18362.329  Kernel Driver  Running
bcmfn2  bcmfn2 Service  bcmfn2.sys  6.3.9600.17336  Kernel Driver  Stopped
Beep  Beep      Kernel Driver  Running
bindflt  Windows Bind Filter Driver  bindflt.sys  10.0.18362.628  File System Driver  Running
bowser  Browser  bowser.sys  10.0.18362.1  File System Driver  Running
BthA2dp  Microsoft Bluetooth A2dp driver  BthA2dp.sys  10.0.18362.356  Kernel Driver  Stopped
BthEnum  Bluetooth Enumerator Service  BthEnum.sys  10.0.18362.693  Kernel Driver  Stopped
BthHFEnum  Microsoft Bluetooth Hands-Free Profile driver  bthhfenum.sys  10.0.18362.1  Kernel Driver  Stopped
BthLEEnum  Bluetooth Low Energy Driver  Microsoft.Bluetooth.Legacy.LEEnumerator.sys  10.0.18362.1  Kernel Driver  Stopped
BthMini  Bluetooth Radio Driver  BTHMINI.sys  10.0.18362.693  Kernel Driver  Stopped
BTHMODEM  Bluetooth Modem Communications Driver  bthmodem.sys  10.0.18362.1  Kernel Driver  Stopped
BthPan  Bluetooth Device (Personal Area Network)  bthpan.sys  10.0.18362.1  Kernel Driver  Stopped
BTHPORT  Bluetooth Port Driver  BTHport.sys  10.0.18362.693  Kernel Driver  Stopped
BTHUSB  Bluetooth Radio USB Driver  BTHUSB.sys  10.0.18362.693  Kernel Driver  Running
bttflt  Microsoft Hyper-V VHDPMEM BTT Filter  bttflt.sys  10.0.18362.1  Kernel Driver  Stopped
buttonconverter  Service for Portable Device Control devices  buttonconverter.sys  10.0.18362.1  Kernel Driver  Stopped
CAD  Charge Arbitration Driver  CAD.sys  10.0.18362.1  Kernel Driver  Running
cdfs  CD/DVD File System Reader  cdfs.sys  10.0.18362.535  File System Driver  Stopped
cdrom  CD-ROM Driver  cdrom.sys  10.0.18362.1  Kernel Driver  Running
cht4iscsi  cht4iscsi  cht4sx64.sys  6.9.12.400  Kernel Driver  Stopped
cht4vbd  Chelsio Virtual Bus Driver  cht4vx64.sys  6.9.12.400  Kernel Driver  Stopped
circlass  Consumer IR Devices  circlass.sys  10.0.18362.1  Kernel Driver  Stopped
CldFlt  Windows Cloud Files Filter Driver  cldflt.sys  10.0.18362.693  File System Driver  Running
CLFS  Common Log (CLFS)  CLFS.sys  10.0.18362.657  Kernel Driver  Running
CmBatt  Microsoft ACPI Control Method Battery Driver  CmBatt.sys  10.0.18362.1  Kernel Driver  Running
CNG  CNG  cng.sys  10.0.18362.295  Kernel Driver  Running
cnghwassist  CNG Hardware Assist algorithm provider  cnghwassist.sys  10.0.18362.1  Kernel Driver  Stopped
CnxtHdAudService  Synaptics UAA Function Driver for High Definition Audio Service  CHDRT64.sys  8.66.98.0  Kernel Driver  Running
CompositeBus  Composite Bus Enumerator Driver  CompositeBus.sys  10.0.18362.329  Kernel Driver  Running
condrv  Console Driver  condrv.sys  10.0.18362.1  Kernel Driver  Running
dam  Desktop Activity Moderator Driver  dam.sys  10.0.18362.1  Kernel Driver  Running
Dfsc  DFS Namespace Client Driver  dfsc.sys  10.0.18362.1  File System Driver  Running
disk  Disk Driver  disk.sys  10.0.18362.1  Kernel Driver  Running
dmvsc  dmvsc  dmvsc.sys  10.0.18362.1  Kernel Driver  Stopped
dptf_acpi  dptf_acpi  dptf_acpi.sys  8.6.10401.9906  Kernel Driver  Running
dptf_cpu  dptf_cpu  dptf_cpu.sys  8.6.10401.9906  Kernel Driver  Running
drmkaud  Microsoft Trusted Audio Drivers  drmkaud.sys  10.0.18362.1  Kernel Driver  Stopped
DXGKrnl  LDDM Graphics Subsystem  dxgkrnl.sys  10.0.18362.719  Kernel Driver  Running
ebdrv  QLogic 10 Gigabit Ethernet Adapter VBD  evbda.sys  7.13.65.105  Kernel Driver  Stopped
EhStorClass  Enhanced Storage Filter Driver  EhStorClass.sys  10.0.18362.1  Kernel Driver  Running
EhStorTcgDrv  Microsoft driver for storage devices supporting IEEE 1667 and TCG protocols  EhStorTcgDrv.sys  10.0.18362.1  Kernel Driver  Stopped
ErrDev  Microsoft Hardware Error Device Driver  errdev.sys  10.0.18362.1  Kernel Driver  Stopped
esif_lf  esif_lf  esif_lf.sys  8.6.10401.9906  Kernel Driver  Running
exfat  exFAT File System Driver      File System Driver  Stopped
fastfat  FAT12/16/32 File System Driver      File System Driver  Running
fdc  Floppy Disk Controller Driver  fdc.sys  10.0.18362.1  Kernel Driver  Stopped
FileCrypt  FileCrypt  filecrypt.sys  10.0.18362.1  File System Driver  Running
FileInfo  File Information FS MiniFilter  fileinfo.sys  10.0.18362.1  File System Driver  Running
Filetrace  Filetrace  filetrace.sys  10.0.18362.1  File System Driver  Stopped
flpydisk  Floppy Disk Driver  flpydisk.sys  10.0.18362.1  Kernel Driver  Stopped
FltMgr  FltMgr  fltmgr.sys  10.0.18362.267  File System Driver  Running
FsDepends  File System Dependency Minifilter  FsDepends.sys  10.0.18362.1  File System Driver  Stopped
fvevol  BitLocker Drive Encryption Filter Driver  fvevol.sys  10.0.18362.267  Kernel Driver  Running
gencounter  Microsoft Hyper-V Generation Counter  vmgencounter.sys  10.0.18362.1  Kernel Driver  Stopped
genericusbfn  Generic USB Function Class  genericusbfn.sys  10.0.18362.329  Kernel Driver  Stopped
GPIOClx0101  Microsoft GPIO Class Extension Driver  msgpioclx.sys  10.0.18362.329  Kernel Driver  Running
GpuEnergyDrv  GPU Energy Driver  gpuenergydrv.sys  10.0.18362.1  Kernel Driver  Running
HdAudAddService  Microsoft 1.1 UAA Function Driver for High Definition Audio Service  HdAudio.sys  10.0.18362.356  Kernel Driver  Stopped
HDAudBus  Microsoft UAA Bus Driver for High Definition Audio  HDAudBus.sys  10.0.18362.693  Kernel Driver  Running
HidBatt  HID UPS Battery Driver  HidBatt.sys  10.0.18362.1  Kernel Driver  Stopped
HidBth  Microsoft Bluetooth HID Miniport  hidbth.sys  10.0.18362.1  Kernel Driver  Stopped
hidi2c  Microsoft I2C HID Miniport Driver  hidi2c.sys  10.0.18362.1  Kernel Driver  Running
hidinterrupt  Common Driver for HID Buttons implemented with interrupts  hidinterrupt.sys  10.0.18362.1  Kernel Driver  Stopped
HidIr  Microsoft Infrared HID Driver  hidir.sys  10.0.18362.1  Kernel Driver  Stopped
hidspi  Microsoft SPI HID Miniport Driver  hidspi.sys  10.0.18362.387  Kernel Driver  Stopped
HidUsb  Microsoft HID Class Driver  hidusb.sys  10.0.18362.175  Kernel Driver  Stopped
HpSAMD  HpSAMD  HpSAMD.sys  8.0.4.0  Kernel Driver  Stopped
HTTP  HTTP Service  HTTP.sys  10.0.18362.628  Kernel Driver  Running
hvcrash  hvcrash  hvcrash.sys  10.0.18362.1  Kernel Driver  Stopped
hvservice  Hypervisor/Virtual Machine Support Driver  hvservice.sys  10.0.18362.657  Kernel Driver  Stopped
HwNClx0101  Microsoft Hardware Notifications Class Extension Driver  mshwnclx.sys  10.0.18362.1  Kernel Driver  Stopped
hwpolicy  Hardware Policy Driver  hwpolicy.sys  10.0.18362.1  Kernel Driver  Stopped
hyperkbd  hyperkbd  hyperkbd.sys  10.0.18362.1  Kernel Driver  Stopped
HyperVideo  HyperVideo  HyperVideo.sys  10.0.18362.1  Kernel Driver  Stopped
i8042prt  i8042 Keyboard and PS/2 Mouse Port Driver  i8042prt.sys  10.0.18362.1  Kernel Driver  Running
iagpio  Intel Serial IO GPIO Controller Driver  iagpio.sys  1.1.1.0  Kernel Driver  Stopped
iai2c  Intel(R) Serial IO I2C Host Controller  iai2c.sys  1.1.1.0  Kernel Driver  Stopped
iaLPSS2_GPIO2  Intel(R) Serial IO GPIO Driver v2  iaLPSS2_GPIO2.sys  30.100.1932.6  Kernel Driver  Running
iaLPSS2_I2C  Intel(R) Serial IO I2C Driver v2  iaLPSS2_I2C.sys  30.100.1932.6  Kernel Driver  Running
iaLPSS2_SPI  Intel(R) Serial IO SPI Driver v2  iaLPSS2_SPI.sys  30.100.1932.6  Kernel Driver  Running
iaLPSS2_UART2  Intel(R) Serial IO UART Driver v2  iaLPSS2_UART2.sys  30.100.1932.6  Kernel Driver  Running
iaLPSS2i_GPIO2_BXT_P  Intel(R) Serial IO GPIO Driver v2  iaLPSS2i_GPIO2_BXT_P.sys  30.100.1816.1  Kernel Driver  Stopped
iaLPSS2i_GPIO2_CNL  Intel(R) Serial IO GPIO Driver v2  iaLPSS2i_GPIO2_CNL.sys  30.100.1816.3  Kernel Driver  Stopped
iaLPSS2i_GPIO2_GLK  Intel(R) Serial IO GPIO Driver v2  iaLPSS2i_GPIO2_GLK.sys  30.100.1820.1  Kernel Driver  Stopped
iaLPSS2i_GPIO2  Intel(R) Serial IO GPIO Driver v2  iaLPSS2i_GPIO2.sys  30.100.1816.3  Kernel Driver  Stopped
iaLPSS2i_I2C_BXT_P  Intel(R) Serial IO I2C Driver v2  iaLPSS2i_I2C_BXT_P.sys  30.100.1816.1  Kernel Driver  Stopped
iaLPSS2i_I2C_CNL  Intel(R) Serial IO I2C Driver v2  iaLPSS2i_I2C_CNL.sys  30.100.1816.3  Kernel Driver  Stopped
iaLPSS2i_I2C_GLK  Intel(R) Serial IO I2C Driver v2  iaLPSS2i_I2C_GLK.sys  30.100.1820.1  Kernel Driver  Stopped
iaLPSS2i_I2C  Intel(R) Serial IO I2C Driver v2  iaLPSS2i_I2C.sys  30.100.1816.3  Kernel Driver  Stopped
iaLPSSi_GPIO  Intel(R) Serial IO GPIO Controller Driver  iaLPSSi_GPIO.sys  1.1.250.0  Kernel Driver  Stopped
iaLPSSi_I2C  Intel(R) Serial IO I2C Controller Driver  iaLPSSi_I2C.sys  1.1.253.0  Kernel Driver  Stopped
iaStorAVC  Intel Chipset SATA RAID Controller  iaStorAVC.sys  15.44.0.1010  Kernel Driver  Stopped
iaStorV  Intel RAID Controller Windows 7  iaStorV.sys  8.6.2.1019  Kernel Driver  Stopped
ibbus  Mellanox InfiniBand Bus/AL (Filter Driver)  ibbus.sys  5.50.14643.0  Kernel Driver  Stopped
ibtusb  Intel(R) Wireless Bluetooth(R)  ibtusb.sys  21.40.1.1  Kernel Driver  Running
igfxn  igfxn  igdkmdn64.sys  26.20.100.7463  Kernel Driver  Running
IndirectKmd  Indirect Displays Kernel-Mode Driver  IndirectKmd.sys  10.0.18362.1  Kernel Driver  Stopped
IntcDAud  Intel(R) Display Audio  IntcDAud.sys  11.1.0.12  Kernel Driver  Running
intelide  intelide  intelide.sys  10.0.18362.693  Kernel Driver  Stopped
intelpep  Intel(R) Power Engine Plug-in Driver  intelpep.sys  10.0.18362.693  Kernel Driver  Running
intelpmax  Intel Power Limit Driver  intelpmax.sys  10.0.18362.1  Kernel Driver  Stopped
intelppm  Intel Processor Driver  intelppm.sys  10.0.18362.693  Kernel Driver  Running
iorate  Disk I/O Rate Filter Driver  iorate.sys  10.0.18362.1  Kernel Driver  Running
IpFilterDriver  IP Traffic Filter Driver  ipfltdrv.sys  10.0.18362.1  Kernel Driver  Stopped
IPMIDRV  IPMIDRV  IPMIDrv.sys  10.0.18362.1  Kernel Driver  Stopped
IPNAT  IP Network Address Translator  ipnat.sys  10.0.18362.1  Kernel Driver  Stopped
IPT  IPT  ipt.sys  10.0.18362.1  Kernel Driver  Stopped
isapnp  isapnp  isapnp.sys  10.0.18362.267  Kernel Driver  Stopped
iScsiPrt  iScsiPort Driver  msiscsi.sys  10.0.18362.449  Kernel Driver  Stopped
ItSas35i  ItSas35i  ItSas35i.sys  2.60.59.80  Kernel Driver  Stopped
kbdclass  Keyboard Class Driver  kbdclass.sys  10.0.18362.1  Kernel Driver  Running
kbdhid  Keyboard HID Driver  kbdhid.sys  10.0.18362.1  Kernel Driver  Stopped
kdnic  Microsoft Kernel Debug Network Miniport (NDIS 6.20)  kdnic.sys  6.1.0.0  Kernel Driver  Running
KSecDD  KSecDD  ksecdd.sys  10.0.18362.113  Kernel Driver  Running
KSecPkg  KSecPkg  ksecpkg.sys  10.0.18362.657  Kernel Driver  Running
ksthunk  Kernel Streaming Thunks  ksthunk.sys  10.0.18362.1  Kernel Driver  Running
lltdio  Link-Layer Topology Discovery Mapper I/O Driver  lltdio.sys  10.0.18362.1  Kernel Driver  Running
LSI_SAS  LSI_SAS  lsi_sas.sys  1.34.3.83  Kernel Driver  Stopped
LSI_SAS2i  LSI_SAS2i  lsi_sas2i.sys  2.0.79.82  Kernel Driver  Stopped
LSI_SAS3i  LSI_SAS3i  lsi_sas3i.sys  2.51.24.80  Kernel Driver  Stopped
LSI_SSS  LSI_SSS  lsi_sss.sys  2.10.61.81  Kernel Driver  Stopped
luafv  UAC File Virtualization  luafv.sys  10.0.18362.53  File System Driver  Running
mausbhost  MA-USB Host Controller Driver  mausbhost.sys  10.0.18362.1  Kernel Driver  Stopped
mausbip  MA-USB IP Filter Driver  mausbip.sys  10.0.18362.1  Kernel Driver  Stopped
MbbCx  MBB Network Adapter Class Extension  MbbCx.sys  10.0.18362.449  Kernel Driver  Stopped
megasas  megasas  megasas.sys  6.706.6.0  Kernel Driver  Stopped
megasas2i  megasas2i  MegaSas2i.sys  6.714.5.0  Kernel Driver  Stopped
megasas35i  megasas35i  megasas35i.sys  7.708.13.0  Kernel Driver  Stopped
megasr  megasr  megasr.sys  15.2.2013.129  Kernel Driver  Stopped
MEIx64  Intel(R) Management Engine Interface   TeeDriverW8x64.sys  1910.13.0.1060  Kernel Driver  Running
Microsoft_Bluetooth_AvrcpTransport  Microsoft Bluetooth Avrcp Transport Driver  Microsoft.Bluetooth.AvrcpTransport.sys  10.0.18362.1  Kernel Driver  Stopped
mlx4_bus  Mellanox ConnectX Bus Enumerator  mlx4_bus.sys  5.50.14643.0  Kernel Driver  Stopped
MMCSS  Multimedia Class Scheduler  mmcss.sys  10.0.18362.1  Kernel Driver  Running
Modem  Modem  modem.sys  10.0.18362.1  Kernel Driver  Stopped
monitor  Microsoft Monitor Class Function Driver Service  monitor.sys  10.0.18362.693  Kernel Driver  Running
mouclass  Mouse Class Driver  mouclass.sys  10.0.18362.1  Kernel Driver  Running
mouhid  Mouse HID Driver  mouhid.sys  10.0.18362.1  Kernel Driver  Running
mountmgr  Mount Point Manager  mountmgr.sys  10.0.18362.449  Kernel Driver  Running
mpsdrv  Windows Defender Firewall Authorization Driver  mpsdrv.sys  10.0.18362.1  Kernel Driver  Running
MRxDAV  WebDav Client Redirector Driver  mrxdav.sys  10.0.18362.387  File System Driver  Stopped
mrxsmb  SMB MiniRedirector Wrapper and Engine  mrxsmb.sys  10.0.18362.720  File System Driver  Running
mrxsmb10  SMB 1.x MiniRedirector  mrxsmb10.sys  10.0.18362.1  File System Driver  Running
mrxsmb20  SMB 2.0 MiniRedirector  mrxsmb20.sys  10.0.18362.693  File System Driver  Running
MsBridge  Microsoft MAC Bridge  bridge.sys  10.0.18362.1  Kernel Driver  Stopped
Msfs  Msfs      File System Driver  Running
msgpiowin32  Common Driver for Buttons, DockMode and Laptop/Slate Indicator  msgpiowin32.sys  10.0.18362.1  Kernel Driver  Stopped
mshidkmdf  mshidkmdf  mshidkmdf.sys  10.0.18362.1  Kernel Driver  Running
mshidumdf  Pass-through HID to UMDF Driver  mshidumdf.sys  10.0.18362.1  Kernel Driver  Stopped
msisadrv  msisadrv  msisadrv.sys  10.0.18362.267  Kernel Driver  Running
MSKSSRV  Microsoft Streaming Service Proxy  MSKSSRV.sys  10.0.18362.207  Kernel Driver  Stopped
MsLldp  Microsoft Link-Layer Discovery Protocol  mslldp.sys  10.0.18362.1  Kernel Driver  Running
MSPCLOCK  Microsoft Streaming Clock Proxy  MSPCLOCK.sys  10.0.18362.1  Kernel Driver  Stopped
MSPQM  Microsoft Streaming Quality Manager Proxy  MSPQM.sys  10.0.18362.1  Kernel Driver  Stopped
MsRPC  MsRPC      Kernel Driver  Stopped
mssmbios  Microsoft System Management BIOS Driver  mssmbios.sys  10.0.18362.1  Kernel Driver  Running
MSTEE  Microsoft Streaming Tee/Sink-to-Sink Converter  MSTEE.sys  10.0.18362.1  Kernel Driver  Stopped
MTConfig  Microsoft Input Configuration Driver  MTConfig.sys  10.0.18362.1  Kernel Driver  Running
Mup  Mup  mup.sys  10.0.18362.207  File System Driver  Running
mvumis  mvumis  mvumis.sys  1.0.5.1016  Kernel Driver  Stopped
NativeWifiP  NativeWiFi Filter  nwifi.sys  10.0.18362.387  Kernel Driver  Running
ndfltr  NetworkDirect Service  ndfltr.sys  5.50.14643.0  Kernel Driver  Stopped
NDIS  NDIS System Driver  ndis.sys  10.0.18362.693  Kernel Driver  Running
NdisCap  Microsoft NDIS Capture  ndiscap.sys  10.0.18362.1  Kernel Driver  Stopped
NdisImPlatform  Microsoft Network Adapter Multiplexor Protocol  NdisImPlatform.sys  10.0.18362.693  Kernel Driver  Stopped
NdisTapi  Remote Access NDIS TAPI Driver  ndistapi.sys  10.0.18362.387  Kernel Driver  Running
Ndisuio  NDIS Usermode I/O Protocol  ndisuio.sys  10.0.18362.1  Kernel Driver  Running
NdisVirtualBus  Microsoft Virtual Network Adapter Enumerator  NdisVirtualBus.sys  10.0.18362.1  Kernel Driver  Running
NdisWan  Remote Access NDIS WAN Driver  ndiswan.sys  10.0.18362.719  Kernel Driver  Running
ndiswanlegacy  Remote Access LEGACY NDIS WAN Driver  ndiswan.sys  10.0.18362.719  Kernel Driver  Stopped
NDKPing  NDKPing Driver  NDKPing.sys  10.0.18362.1  Kernel Driver  Stopped
ndproxy  NDIS Proxy Driver  NDProxy.sys  10.0.18362.387  Kernel Driver  Running
Ndu  Windows Network Data Usage Monitoring Driver  Ndu.sys  10.0.18362.1  Kernel Driver  Running
NetAdapterCx  Network Adapter Wdf Class Extension Library  NetAdapterCx.sys  10.0.18362.1  Kernel Driver  Stopped
NetBIOS  NetBIOS Interface  netbios.sys  10.0.18362.1  File System Driver  Running
NetBT  NetBT  netbt.sys  10.0.18362.145  Kernel Driver  Running
netvsc  netvsc  netvsc.sys  10.0.18362.1  Kernel Driver  Stopped
Netwtw08  ___ Intel(R) Wireless Adapter Driver for Windows 10 - 64 Bit  Netwtw08.sys  21.60.2.1  Kernel Driver  Running
nhi  Thunderbolt(TM) Controller  TbtBusDrv.sys  1.41.648.5  Kernel Driver  Running
Npfs  Npfs      File System Driver  Running
npsvctrig  Named pipe service trigger provider  npsvctrig.sys  10.0.18362.1  Kernel Driver  Running
nsiproxy  NSI Proxy Service Driver  nsiproxy.sys  10.0.18362.449  Kernel Driver  Running
Ntfs  Ntfs      File System Driver  Running
Null  Null      Kernel Driver  Running
nvdimm  Microsoft NVDIMM device driver  nvdimm.sys  10.0.18362.1  Kernel Driver  Stopped
nvraid  nvraid  nvraid.sys  10.6.0.23  Kernel Driver  Stopped
nvstor  nvstor  nvstor.sys  10.6.0.23  Kernel Driver  Stopped
Parport  Parallel port driver  parport.sys  10.0.18362.1  Kernel Driver  Stopped
partmgr  Partition driver  partmgr.sys  10.0.18362.145  Kernel Driver  Running
pci  PCI Bus Driver  pci.sys  10.0.18362.628  Kernel Driver  Running
pciide  pciide  pciide.sys  10.0.18362.693  Kernel Driver  Stopped
pcmcia  pcmcia  pcmcia.sys  10.0.18362.1  Kernel Driver  Stopped
pcw  Performance Counters for Windows Driver  pcw.sys  10.0.18362.1  Kernel Driver  Running
pdc  pdc  pdc.sys  10.0.18362.693  Kernel Driver  Running
PEAUTH  PEAUTH  peauth.sys  10.0.18362.295  Kernel Driver  Running
percsas2i  percsas2i  percsas2i.sys  6.805.3.0  Kernel Driver  Stopped
percsas3i  percsas3i  percsas3i.sys  6.604.6.0  Kernel Driver  Stopped
PktMon  Packet Monitor Driver  PktMon.sys  10.0.18362.1  Kernel Driver  Stopped
PlatMgr  PlatMgr Service  PlatMgr.sys  1.1.1910.702  Kernel Driver  Running
pmem  Microsoft persistent memory disk driver  pmem.sys  10.0.18362.1  Kernel Driver  Stopped
pmxdrv  pmxdrv  pmxdrv.sys  1.0.0.1003  Kernel Driver  Stopped
PNPMEM  Microsoft Memory Module Driver  pnpmem.sys  10.0.18362.1  Kernel Driver  Stopped
portcfg  portcfg  portcfg.sys  10.0.18362.1  Kernel Driver  Stopped
PptpMiniport  WAN Miniport (PPTP)  raspptp.sys  10.0.18362.1  Kernel Driver  Running
Processor  Processor Driver  processr.sys  10.0.18362.693  Kernel Driver  Stopped
Psched  QoS Packet Scheduler  pacer.sys  10.0.18362.1  Kernel Driver  Running
QWAVEdrv  QWAVE driver  qwavedrv.sys  10.0.18362.1  Kernel Driver  Stopped
Ramdisk  Windows RAM Disk Driver  ramdisk.sys  10.0.18362.1  Kernel Driver  Stopped
RasAcd  Remote Access Auto Connection Driver  rasacd.sys  10.0.18362.1  Kernel Driver  Stopped
RasAgileVpn  WAN Miniport (IKEv2)  AgileVpn.sys  10.0.18362.719  Kernel Driver  Running
Rasl2tp  WAN Miniport (L2TP)  rasl2tp.sys  10.0.18362.1  Kernel Driver  Running
RasPppoe  Remote Access PPPOE Driver  raspppoe.sys  10.0.18362.1  Kernel Driver  Running
RasSstp  WAN Miniport (SSTP)  rassstp.sys  10.0.18362.1  Kernel Driver  Running
rdbss  Redirected Buffering Sub System  rdbss.sys  10.0.18362.693  File System Driver  Running
rdpbus  Remote Desktop Device Redirector Bus Driver  rdpbus.sys  10.0.18362.1  Kernel Driver  Running
RDPDR  Remote Desktop Device Redirector Driver  rdpdr.sys  10.0.18362.267  Kernel Driver  Stopped
RdpVideoMiniport  Remote Desktop Video Miniport Driver  rdpvideominiport.sys  10.0.18362.693  Kernel Driver  Running
rdyboost  ReadyBoost  rdyboost.sys  10.0.18362.1  Kernel Driver  Running
ReFS  ReFS      File System Driver  Stopped
ReFSv1  ReFSv1      File System Driver  Stopped
RFCOMM  Bluetooth Device (RFCOMM Protocol TDI)  rfcomm.sys  10.0.18362.1  Kernel Driver  Stopped
rhproxy  Resource Hub proxy driver  rhproxy.sys  10.0.18362.1  Kernel Driver  Stopped
rspndr  Link-Layer Topology Discovery Responder  rspndr.sys  10.0.18362.1  Kernel Driver  Running
rtux64w10  Realtek USB FE/1GbE/2.5GbE NIC Family Windows 10 64-bit Driver  rtux64w10.sys  10.33.419.2019  Kernel Driver  Stopped
s3cap  s3cap  vms3cap.sys  10.0.18362.1  Kernel Driver  Stopped
sbp2port  SBP-2 Transport/Protocol Bus Driver  sbp2port.sys  10.0.18362.1  Kernel Driver  Stopped
scfilter  Smart card PnP Class Filter Driver  scfilter.sys  10.0.18362.1  Kernel Driver  Stopped
scmbus  Microsoft Storage Class Memory Bus Driver  scmbus.sys  10.0.18362.1  Kernel Driver  Stopped
sdbus  sdbus  sdbus.sys  10.0.18362.628  Kernel Driver  Stopped
SDFRd  SDF Reflector  SDFRd.sys  10.0.18362.1  Kernel Driver  Stopped
sdstor  SD Storage Port Driver  sdstor.sys  10.0.18362.1  Kernel Driver  Stopped
SerCx  Serial UART Support Library  SerCx.sys  10.0.18362.1  Kernel Driver  Stopped
SerCx2  Serial UART Support Library  SerCx2.sys  10.0.18362.1  Kernel Driver  Running
Serenum  Serenum Filter Driver  serenum.sys  10.0.18362.1  Kernel Driver  Stopped
Serial  Serial port driver  serial.sys  10.0.18362.1  Kernel Driver  Stopped
sermouse  Serial Mouse Driver  sermouse.sys  10.0.18362.1  Kernel Driver  Stopped
sfloppy  High-Capacity Floppy Disk Drive  sfloppy.sys  10.0.18362.1  Kernel Driver  Stopped
SgrmAgent  System Guard Runtime Monitor Agent  SgrmAgent.sys  10.0.18362.1  Kernel Driver  Running
SiSRaid2  SiSRaid2  SiSRaid2.sys  5.1.1039.2600  Kernel Driver  Stopped
SiSRaid4  SiSRaid4  sisraid4.sys  5.1.1039.3600  Kernel Driver  Stopped
SmartSAMD  SmartSAMD  SmartSAMD.sys  1.50.0.0  Kernel Driver  Stopped
spaceport  Storage Spaces Driver  spaceport.sys  10.0.18362.449  Kernel Driver  Running
SpatialGraphFilter  Holographic Spatial Graph Filter  SpatialGraphFilter.sys  10.0.18362.1  Kernel Driver  Stopped
SpbCx  Simple Peripheral Bus Support Library  SpbCx.sys  10.0.18362.1  Kernel Driver  Running
srv2  Server SMB 2.xxx Driver  srv2.sys  10.0.18362.720  File System Driver  Running
srvnet  srvnet  srvnet.sys  10.0.18362.693  File System Driver  Running
stexstor  stexstor  stexstor.sys  5.1.0.10  Kernel Driver  Stopped
storahci  Microsoft Standard SATA AHCI Driver  storahci.sys  10.0.18362.693  Kernel Driver  Stopped
storflt  Microsoft Hyper-V Storage Accelerator  vmstorfl.sys  10.0.18362.387  Kernel Driver  Stopped
stornvme  Microsoft Standard NVM Express Driver  stornvme.sys  10.0.18362.693  Kernel Driver  Running
storqosflt  Storage QoS Filter Driver  storqosflt.sys  10.0.18362.1  File System Driver  Running
storufs  Microsoft Universal Flash Storage (UFS) Driver  storufs.sys  10.0.18362.329  Kernel Driver  Stopped
storvsc  storvsc  storvsc.sys  10.0.18362.387  Kernel Driver  Stopped
swenum  Software Bus Driver  swenum.sys  10.0.18362.329  Kernel Driver  Running
Synth3dVsc  Synth3dVsc  Synth3dVsc.sys  10.0.18362.1  Kernel Driver  Stopped
tap0901  TAP-Windows Adapter V9  tap0901.sys  9.0.0.21  Kernel Driver  Running
Tcpip  TCP/IP Protocol Driver  tcpip.sys  10.0.18362.693  Kernel Driver  Running
Tcpip6  @todo.dll,-100;Microsoft IPv6 Protocol Driver  tcpip.sys  10.0.18362.693  Kernel Driver  Stopped
tcpipreg  TCP/IP Registry Compatibility  tcpipreg.sys  10.0.18362.1  Kernel Driver  Running
tdx  NetIO Legacy TDI Support Driver  tdx.sys  10.0.18362.1  Kernel Driver  Running
terminpt  Microsoft Remote Desktop Input Driver  terminpt.sys  10.0.18362.1  Kernel Driver  Stopped
TPM  TPM  tpm.sys  10.0.18362.693  Kernel Driver  Running
TsUsbFlt  Remote Desktop USB Hub Class Filter Driver  tsusbflt.sys  10.0.18362.1  Kernel Driver  Stopped
TsUsbGD  Remote Desktop Generic USB Device  TsUsbGD.sys  10.0.18362.1  Kernel Driver  Stopped
tunnel  Microsoft Tunnel Miniport Adapter Driver  tunnel.sys  10.0.18362.476  Kernel Driver  Stopped
UASPStor  USB Attached SCSI (UAS) Driver  uaspstor.sys  10.0.18362.387  Kernel Driver  Stopped
UcmCx0101  USB Connector Manager KMDF Class Extension  UcmCx.sys  10.0.18362.1  Kernel Driver  Stopped
UcmTcpciCx0101  UCM-TCPCI KMDF Class Extension  UcmTcpciCx.sys  10.0.18362.1  Kernel Driver  Stopped
UcmUcsiAcpiClient  UCM-UCSI ACPI Client  UcmUcsiAcpiClient.sys  10.0.18362.1  Kernel Driver  Stopped
UcmUcsiCx0101  UCM-UCSI KMDF Class Extension  UcmUcsiCx.sys  10.0.18362.1  Kernel Driver  Stopped
Ucx01000  USB Host Support Library  ucx01000.sys  10.0.18362.1  Kernel Driver  Running
UdeCx  USB Device Emulation Support Library  udecx.sys  10.0.18362.1  Kernel Driver  Stopped
udfs  udfs  udfs.sys  10.0.18362.535  File System Driver  Stopped
UEFI  Microsoft UEFI Driver  UEFI.sys  10.0.18362.329  Kernel Driver  Running
Ufx01000  USB Function Class Extension  ufx01000.sys  10.0.18362.1  Kernel Driver  Stopped
UfxChipidea  USB Chipidea Controller  UfxChipidea.sys  10.0.18362.329  Kernel Driver  Stopped
ufxsynopsys  USB Synopsys Controller  ufxsynopsys.sys  10.0.18362.1  Kernel Driver  Stopped
umbus  UMBus Enumerator Driver  umbus.sys  10.0.18362.329  Kernel Driver  Running
UmPass  Microsoft UMPass Driver  umpass.sys  10.0.18362.1  Kernel Driver  Running
UrsChipidea  Chipidea USB Role-Switch Driver  urschipidea.sys  10.0.18362.329  Kernel Driver  Stopped
UrsCx01000  USB Role-Switch Support Library  urscx01000.sys  10.0.18362.1  Kernel Driver  Stopped
UrsSynopsys  Synopsys USB Role-Switch Driver  urssynopsys.sys  10.0.18362.329  Kernel Driver  Stopped
usbaudio  USB Audio Driver (WDM)  usbaudio.sys  10.0.18362.1  Kernel Driver  Stopped
usbaudio2  USB Audio 2.0 Service  usbaudio2.sys  10.0.18362.207  Kernel Driver  Stopped
usbccgp  Microsoft USB Generic Parent Driver  usbccgp.sys  10.0.18362.693  Kernel Driver  Running
usbcir  eHome Infrared Receiver (USBCIR)  usbcir.sys  10.0.18362.1  Kernel Driver  Stopped
usbehci  Microsoft USB 2.0 Enhanced Host Controller Miniport Driver  usbehci.sys  10.0.18362.1  Kernel Driver  Stopped
usbhub  Microsoft USB Standard Hub Driver  usbhub.sys  10.0.18362.1  Kernel Driver  Stopped
USBHUB3  SuperSpeed Hub  UsbHub3.sys  10.0.18362.1  Kernel Driver  Running
usbohci  Microsoft USB Open Host Controller Miniport Driver  usbohci.sys  10.0.18362.1  Kernel Driver  Stopped
usbprint  Microsoft USB PRINTER Class  usbprint.sys  10.0.18362.1  Kernel Driver  Stopped
usbser  Microsoft USB Serial Driver  usbser.sys  10.0.18362.1  Kernel Driver  Stopped
USBSTOR  USB Mass Storage Driver  USBSTOR.SYS  10.0.18362.1  Kernel Driver  Stopped
usbuhci  Microsoft USB Universal Host Controller Miniport Driver  usbuhci.sys  10.0.18362.1  Kernel Driver  Stopped
usbvideo  USB Video Device (WDM)  usbvideo.sys  10.0.18362.693  Kernel Driver  Running
USBXHCI  USB xHCI Compliant Host Controller  USBXHCI.SYS  10.0.18362.693  Kernel Driver  Running
vdrvroot  Microsoft Virtual Drive Enumerator  vdrvroot.sys  10.0.18362.1  Kernel Driver  Running
VerifierExt  Driver Verifier Extension  VerifierExt.sys  10.0.18362.1  Kernel Driver  Stopped
vhdmp  vhdmp  vhdmp.sys  10.0.18362.657  Kernel Driver  Stopped
vhf  Virtual HID Framework (VHF) Driver  vhf.sys  10.0.18362.1  Kernel Driver  Stopped
Vid  Vid  Vid.sys  10.0.18362.476  Kernel Driver  Running
vmbus  Virtual Machine Bus  vmbus.sys  10.0.18362.693  Kernel Driver  Stopped
VMBusHID  VMBusHID  VMBusHID.sys  10.0.18362.1  Kernel Driver  Stopped
vmgid  Microsoft Hyper-V Guest Infrastructure Driver  vmgid.sys  10.0.18362.1  Kernel Driver  Stopped
volmgr  Volume Manager Driver  volmgr.sys  10.0.18362.628  Kernel Driver  Running
volmgrx  Dynamic Volume Manager  volmgrx.sys  10.0.18362.1  Kernel Driver  Running
volsnap  Volume Shadow Copy driver  volsnap.sys  10.0.18362.693  Kernel Driver  Running
volume  Volume driver  volume.sys  10.0.18362.1  Kernel Driver  Running
vpci  Microsoft Hyper-V Virtual PCI Bus  vpci.sys  10.0.18362.1  Kernel Driver  Stopped
vsmraid  vsmraid  vsmraid.sys  7.0.9600.6352  Kernel Driver  Stopped
VSTXRAID  VIA StorX Storage RAID Controller Windows Driver  vstxraid.sys  8.0.9200.8110  Kernel Driver  Stopped
vwifibus  Virtual Wireless Bus Driver  vwifibus.sys  10.0.18362.1  Kernel Driver  Running
vwififlt  Virtual WiFi Filter Driver  vwififlt.sys  10.0.18362.1  Kernel Driver  Running
vwifimp  Virtual WiFi Miniport Service  vwifimp.sys  10.0.18362.1  Kernel Driver  Running
WacomPen  Wacom Serial Pen HID Driver  wacompen.sys  10.0.18362.1  Kernel Driver  Stopped
wanarp  Remote Access IP ARP Driver  wanarp.sys  10.0.18362.387  Kernel Driver  Running
wanarpv6  Remote Access IPv6 ARP Driver  wanarp.sys  10.0.18362.387  Kernel Driver  Stopped
wcifs  Windows Container Isolation  wcifs.sys  10.0.18362.693  File System Driver  Running
wcnfs  Windows Container Name Virtualization  wcnfs.sys  10.0.18362.1  File System Driver  Stopped
WdBoot  Windows Defender Antivirus Boot Driver  WdBoot.sys  4.18.2001.10  Kernel Driver  Stopped
Wdf01000  Kernel Mode Driver Frameworks service  Wdf01000.sys  1.29.18362.1  Kernel Driver  Running
WdFilter  Windows Defender Antivirus Mini-Filter Driver  WdFilter.sys  4.18.2001.10  File System Driver  Running
wdiwifi  WDI Driver Framework  wdiwifi.sys  10.0.18362.387  Kernel Driver  Running
WdmCompanionFilter  WdmCompanionFilter  WdmCompanionFilter.sys  10.0.18362.1  Kernel Driver  Stopped
WdNisDrv  Windows Defender Antivirus Network Inspection System Driver  WdNisDrv.sys  4.18.2001.10  Kernel Driver  Running
WFPLWFS  Microsoft Windows Filtering Platform  wfplwfs.sys  10.0.18362.207  Kernel Driver  Running
WIMMount  WIMMount  wimmount.sys  10.0.18362.657  File System Driver  Stopped
WindowsTrustedRT  Windows Trusted Execution Environment Class Extension  WindowsTrustedRT.sys  10.0.18362.1  Kernel Driver  Running
WindowsTrustedRTProxy  Microsoft Windows Trusted Runtime Secure Service  WindowsTrustedRTProxy.sys  10.0.18362.1  Kernel Driver  Running
WinMad  WinMad Service  winmad.sys  5.50.14643.0  Kernel Driver  Stopped
WinNat  Windows NAT Driver  winnat.sys  10.0.18362.693  Kernel Driver  Stopped
WinQuic  WinQuic  winquic.sys  10.0.18362.145  Kernel Driver  Running
WINUSB  WinUsb Driver  WinUSB.SYS  10.0.18362.1  Kernel Driver  Stopped
WinVerbs  WinVerbs Service  winverbs.sys  5.50.14643.0  Kernel Driver  Stopped
WmiAcpi  Microsoft Windows Management Interface for ACPI  wmiacpi.sys  10.0.18362.1  Kernel Driver  Running
Wof  Windows Overlay File System Filter Driver      File System Driver  Running
WpdUpFltr  WPD Upper Class Filter Driver  WpdUpFltr.sys  10.0.18362.1  Kernel Driver  Stopped
ws2ifsl  Winsock IFS Driver  ws2ifsl.sys  10.0.18362.356  Kernel Driver  Stopped
WudfPf  User Mode Driver Frameworks Platform Driver  WudfPf.sys  10.0.18362.1  Kernel Driver  Stopped
WUDFRd  Windows Driver Foundation - User-mode Driver Framework Reflector  WUDFRd.sys  10.0.18362.1  Kernel Driver  Running
WUDFWpdFs  WPD File System driver  WUDFRd.sys  10.0.18362.1  Kernel Driver  Running
xboxgip  Xbox Game Input Protocol Driver  xboxgip.sys  10.0.18362.267  Kernel Driver  Stopped
xinputhid  XINPUT HID Filter Driver  xinputhid.sys  10.0.18362.1  Kernel Driver  Stopped
xnotepep  Platform Pep  xnotepep.sys  1.0.2001.2101  Kernel Driver  Running


Services

 
Service Name  Service Description  File Name  Version  Type  State  Account
AarSvc_4672ec  Agent Activation Runtime_4672ec  svchost.exe  10.0.18362.1  Unknown  Stopped  
AESMService  Intel® SGX AESM  aesm_service.exe  2.4.100.51291  Own Process  Running  LocalSystem
AJRouter  AllJoyn Router Service  svchost.exe  10.0.18362.1  Share Process  Stopped  NT AUTHORITY\LocalService
ALG  Application Layer Gateway Service  alg.exe  10.0.18362.1  Own Process  Stopped  NT AUTHORITY\LocalService
AppIDSvc  Application Identity  svchost.exe  10.0.18362.1  Share Process  Stopped  NT Authority\LocalService
Appinfo  Application Information  svchost.exe  10.0.18362.1  Unknown  Running  LocalSystem
AppReadiness  App Readiness  svchost.exe  10.0.18362.1  Share Process  Stopped  LocalSystem
AppXSvc  AppX Deployment Service (AppXSVC)  svchost.exe  10.0.18362.1  Unknown  Stopped  LocalSystem
AudioEndpointBuilder  Windows Audio Endpoint Builder  svchost.exe  10.0.18362.1  Unknown  Running  LocalSystem
Audiosrv  Windows Audio  svchost.exe  10.0.18362.1  Own Process  Running  NT AUTHORITY\LocalService
autotimesvc  Cellular Time  svchost.exe  10.0.18362.1  Own Process  Stopped  NT AUTHORITY\LocalService
AxInstSV  ActiveX Installer (AxInstSV)  svchost.exe  10.0.18362.1  Share Process  Stopped  LocalSystem
BcastDVRUserService_4672ec  GameDVR and Broadcast User Service_4672ec  svchost.exe  10.0.18362.1  Unknown  Stopped  
BDESVC  BitLocker Drive Encryption Service  svchost.exe  10.0.18362.1  Share Process  Stopped  localSystem
BFE  Base Filtering Engine  svchost.exe  10.0.18362.1  Share Process  Running  NT AUTHORITY\LocalService
BITS  Background Intelligent Transfer Service  svchost.exe  10.0.18362.1  Share Process  Stopped  LocalSystem
BluetoothUserService_4672ec  Bluetooth User Support Service_4672ec  svchost.exe  10.0.18362.1  Unknown  Stopped  
BrokerInfrastructure  Background Tasks Infrastructure Service  svchost.exe  10.0.18362.1  Share Process  Running  LocalSystem
Browser  Computer Browser  svchost.exe  10.0.18362.1  Share Process  Stopped  LocalSystem
BTAGService  Bluetooth Audio Gateway Service  svchost.exe  10.0.18362.1  Share Process  Stopped  NT AUTHORITY\LocalService
BthAvctpSvc  AVCTP service  svchost.exe  10.0.18362.1  Unknown  Running  NT AUTHORITY\LocalService
bthserv  Bluetooth Support Service  svchost.exe  10.0.18362.1  Share Process  Stopped  NT AUTHORITY\LocalService
camsvc  Capability Access Manager Service  svchost.exe  10.0.18362.1  Unknown  Running  LocalSystem
CaptureService_4672ec  CaptureService_4672ec  svchost.exe  10.0.18362.1  Unknown  Stopped  
cbdhsvc_4672ec  Clipboard User Service_4672ec  svchost.exe  10.0.18362.1  Unknown  Running  
CDPSvc  Connected Devices Platform Service  svchost.exe  10.0.18362.1  Unknown  Running  NT AUTHORITY\LocalService
CDPUserSvc_4672ec  Connected Devices Platform User Service_4672ec  svchost.exe  10.0.18362.1  Unknown  Running  
CertPropSvc  Certificate Propagation  svchost.exe  10.0.18362.1  Share Process  Stopped  LocalSystem
ClickToRunSvc  Microsoft Office Click-to-Run Service  OfficeClickToRun.exe  16.0.12527.20242  Own Process  Running  LocalSystem
ClipSVC  Client License Service (ClipSVC)  svchost.exe  10.0.18362.1  Unknown  Stopped  LocalSystem
COMSysApp  COM+ System Application  dllhost.exe  10.0.18362.1  Own Process  Stopped  LocalSystem
ConsentUxUserSvc_4672ec  ConsentUX_4672ec  svchost.exe  10.0.18362.1  Unknown  Stopped  
CoreMessagingRegistrar  CoreMessaging  svchost.exe  10.0.18362.1  Share Process  Running  NT AUTHORITY\LocalService
cplspcon  Intel(R) Content Protection HDCP Service  IntelCpHDCPSvc.exe  25.20.100.7463  Own Process  Running  LocalSystem
CredentialEnrollmentManagerUserSvc_4672ec  CredentialEnrollmentManagerUserSvc_4672ec  CredentialEnrollmentManager.exe  10.0.18362.1  Unknown  Stopped  
CryptSvc  Cryptographic Services  svchost.exe  10.0.18362.1  Unknown  Running  NT Authority\NetworkService
CxAudioSvc  CxAudioSvc  CxAudioSvc.exe  1.0.27.0  Own Process  Running  LocalSystem
CxAudMsg  CxAudMsg Service  CxAudMsg64.exe  1.19.0.0  Own Process  Running  LocalSystem
CxUIUSvc  CxUIUSvc Service  CxUIUSvc32.exe  1.0.0.43  Own Process  Running  LocalSystem
CxUtilSvc  CxUtilSvc  CxUtilSvc.exe  2.29.0.0  Own Process  Running  LocalSystem
DcomLaunch  DCOM Server Process Launcher  svchost.exe  10.0.18362.1  Share Process  Running  LocalSystem
defragsvc  Optimize drives  svchost.exe  10.0.18362.1  Own Process  Stopped  localSystem
DeviceAssociationBrokerSvc_4672ec  DeviceAssociationBroker_4672ec  svchost.exe  10.0.18362.1  Unknown  Stopped  
DeviceAssociationService  Device Association Service  svchost.exe  10.0.18362.1  Unknown  Running  LocalSystem
DeviceInstall  Device Install Service  svchost.exe  10.0.18362.1  Share Process  Stopped  LocalSystem
DevicePickerUserSvc_4672ec  DevicePicker_4672ec  svchost.exe  10.0.18362.1  Unknown  Stopped  
DevicesFlowUserSvc_4672ec  DevicesFlow_4672ec  svchost.exe  10.0.18362.1  Unknown  Stopped  
DevQueryBroker  DevQuery Background Discovery Broker  svchost.exe  10.0.18362.1  Share Process  Stopped  LocalSystem
Dhcp  DHCP Client  svchost.exe  10.0.18362.1  Unknown  Running  NT Authority\LocalService
diagnosticshub.standardcollector.service  Microsoft (R) Diagnostics Hub Standard Collector Service  DiagnosticsHub.StandardCollector.Service.exe  11.0.18362.719  Own Process  Stopped  LocalSystem
diagsvc  Diagnostic Execution Service  svchost.exe  10.0.18362.1  Share Process  Stopped  LocalSystem
DiagTrack  Connected User Experiences and Telemetry  svchost.exe  10.0.18362.1  Own Process  Running  LocalSystem
DispBrokerDesktopSvc  Display Policy Service  svchost.exe  10.0.18362.1  Unknown  Running  NT AUTHORITY\LocalService
DisplayEnhancementService  Display Enhancement Service  svchost.exe  10.0.18362.1  Unknown  Running  LocalSystem
DmEnrollmentSvc  Device Management Enrollment Service  svchost.exe  10.0.18362.1  Own Process  Stopped  LocalSystem
dmwappushservice  Device Management Wireless Application Protocol (WAP) Push message Routing Service  svchost.exe  10.0.18362.1  Unknown  Stopped  LocalSystem
Dnscache  DNS Client  svchost.exe  10.0.18362.1  Unknown  Running  NT AUTHORITY\NetworkService
DoSvc  Delivery Optimization  svchost.exe  10.0.18362.1  Unknown  Running  NT Authority\NetworkService
dot3svc  Wired AutoConfig  svchost.exe  10.0.18362.1  Share Process  Stopped  localSystem
DPS  Diagnostic Policy Service  svchost.exe  10.0.18362.1  Unknown  Running  NT AUTHORITY\LocalService
DsmSvc  Device Setup Manager  svchost.exe  10.0.18362.1  Share Process  Stopped  LocalSystem
DsSvc  Data Sharing Service  svchost.exe  10.0.18362.1  Share Process  Stopped  LocalSystem
DtsApo4Service  DtsApo4Service  DtsApo4Service.exe  1.1.2.0  Own Process  Running  LocalSystem
DusmSvc  Data Usage  svchost.exe  10.0.18362.1  Own Process  Running  NT Authority\LocalService
Eaphost  Extensible Authentication Protocol  svchost.exe  10.0.18362.1  Share Process  Stopped  localSystem
edgeupdate  Microsoft Edge Update Service (edgeupdate)  MicrosoftEdgeUpdate.exe  1.3.121.21  Own Process  Stopped  LocalSystem
edgeupdatem  Microsoft Edge Update Service (edgeupdatem)  MicrosoftEdgeUpdate.exe  1.3.121.21  Own Process  Stopped  LocalSystem
EFS  Encrypting File System (EFS)  lsass.exe  10.0.18362.1  Share Process  Stopped  LocalSystem
embeddedmode  Embedded Mode  svchost.exe  10.0.18362.1  Share Process  Stopped  LocalSystem
EntAppSvc  Enterprise App Management Service  svchost.exe  10.0.18362.1  Share Process  Stopped  LocalSystem
esifsvc  Intel(R) Dynamic Tuning service  esif_uf.exe  8.6.10401.9906  Own Process  Running  LocalSystem
EventLog  Windows Event Log  svchost.exe  10.0.18362.1  Unknown  Running  NT AUTHORITY\LocalService
EventSystem  COM+ Event System  svchost.exe  10.0.18362.1  Unknown  Running  NT AUTHORITY\LocalService
Fax  Fax  fxssvc.exe  10.0.18362.1  Own Process  Stopped  NT AUTHORITY\NetworkService
fdPHost  Function Discovery Provider Host  svchost.exe  10.0.18362.1  Share Process  Stopped  NT AUTHORITY\LocalService
FDResPub  Function Discovery Resource Publication  svchost.exe  10.0.18362.1  Share Process  Stopped  NT AUTHORITY\LocalService
fhsvc  File History Service  svchost.exe  10.0.18362.1  Share Process  Stopped  LocalSystem
FontCache  Windows Font Cache Service  svchost.exe  10.0.18362.1  Unknown  Running  NT AUTHORITY\LocalService
FrameServer  Windows Camera Frame Server  svchost.exe  10.0.18362.1  Unknown  Stopped  NT AUTHORITY\LocalService
GoogleChromeElevationService  Google Chrome Elevation Service  elevation_service.exe  80.0.3987.149  Own Process  Stopped  LocalSystem
gpsvc  Group Policy Client  svchost.exe  10.0.18362.1  Unknown  Stopped  LocalSystem
GraphicsPerfSvc  GraphicsPerfSvc  svchost.exe  10.0.18362.1  Share Process  Stopped  LocalSystem
gupdate  Google Update Service (gupdate)  GoogleUpdate.exe  1.3.35.441  Own Process  Stopped  LocalSystem
gupdatem  Google Update Service (gupdatem)  GoogleUpdate.exe  1.3.35.441  Own Process  Stopped  LocalSystem
hidserv  Human Interface Device Service  svchost.exe  10.0.18362.1  Share Process  Stopped  LocalSystem
HvHost  HV Host Service  svchost.exe  10.0.18362.1  Share Process  Stopped  LocalSystem
icssvc  Windows Mobile Hotspot Service  svchost.exe  10.0.18362.1  Share Process  Stopped  NT Authority\LocalService
igfxCUIService2.0.0.0  Intel(R) HD Graphics Control Panel Service  igfxCUIServiceN.exe  6.15.100.7463  Own Process  Running  LocalSystem
IKEEXT  IKE and AuthIP IPsec Keying Modules  svchost.exe  10.0.18362.1  Unknown  Running  LocalSystem
InstallService  Microsoft Store Install Service  svchost.exe  10.0.18362.1  Own Process  Running  LocalSystem
Intel(R) Capability Licensing Service TCP IP Interface  Intel(R) Capability Licensing Service TCP IP Interface  SocketHeciServer.exe  1.57.263.0  Own Process  Running  LocalSystem
Intel(R) TPM Provisioning Service  Intel(R) TPM Provisioning Service  TPMProvisioningService.exe  1.57.263.0  Own Process  Stopped  LocalSystem
iphlpsvc  IP Helper  svchost.exe  10.0.18362.1  Unknown  Running  LocalSystem
IpxlatCfgSvc  IP Translation Configuration Service  svchost.exe  10.0.18362.1  Share Process  Stopped  LocalSystem
jhi_service  Intel(R) Dynamic Application Loader Host Interface Service  jhi_service.exe  1.34.2019.714  Own Process  Running  LocalSystem
KeyIso  CNG Key Isolation  lsass.exe  10.0.18362.1  Share Process  Running  LocalSystem
KtmRm  KtmRm for Distributed Transaction Coordinator  svchost.exe  10.0.18362.1  Share Process  Stopped  NT AUTHORITY\NetworkService
LanmanServer  Server  svchost.exe  10.0.18362.1  Unknown  Running  LocalSystem
LanmanWorkstation  Workstation  svchost.exe  10.0.18362.1  Unknown  Running  NT AUTHORITY\NetworkService
lfsvc  Geolocation Service  svchost.exe  10.0.18362.1  Unknown  Running  LocalSystem
LG Device Managers  LG Device Managers  DeviceManager.exe  1.0.0.0  Own Process  Running  LocalSystem
LGControlCenterSVC  LGControlCenterSVC  LGControlCenterSVC.exe  1.0.0.0  Own Process  Running  LocalSystem
LGUWPService  LG UWP Service  LGUWPService.exe  1.0.0.0  Own Process  Running  LocalSystem
LicenseManager  Windows License Manager Service  svchost.exe  10.0.18362.1  Share Process  Stopped  NT Authority\LocalService
lltdsvc  Link-Layer Topology Discovery Mapper  svchost.exe  10.0.18362.1  Share Process  Stopped  NT AUTHORITY\LocalService
lmhosts  TCP/IP NetBIOS Helper  svchost.exe  10.0.18362.1  Unknown  Running  NT AUTHORITY\LocalService
LMS  Intel(R) Management and Security Application Local Management Service  LMS.exe  1927.13.0.1087  Own Process  Running  LocalSystem
LSM  Local Session Manager  svchost.exe  10.0.18362.1  Unknown  Running  LocalSystem
LxpSvc  Language Experience Service  svchost.exe  10.0.18362.1  Share Process  Stopped  LocalSystem
MapsBroker  Downloaded Maps Manager  svchost.exe  10.0.18362.1  Own Process  Stopped  NT AUTHORITY\NetworkService
MessagingService_4672ec  MessagingService_4672ec  svchost.exe  10.0.18362.1  Unknown  Stopped  
MicrosoftEdgeElevationService  Microsoft Edge Elevation Service  elevation_service.exe  80.0.361.66  Own Process  Stopped  LocalSystem
mpssvc  Windows Defender Firewall  svchost.exe  10.0.18362.1  Share Process  Running  NT Authority\LocalService
MSDTC  Distributed Transaction Coordinator  msdtc.exe  2001.12.10941.16384  Own Process  Stopped  NT AUTHORITY\NetworkService
MSiSCSI  Microsoft iSCSI Initiator Service  svchost.exe  10.0.18362.1  Share Process  Stopped  LocalSystem
msiserver  Windows Installer  msiexec.exe  5.0.18362.1  Own Process  Stopped  LocalSystem
NaturalAuthentication  Natural Authentication  svchost.exe  10.0.18362.1  Share Process  Stopped  LocalSystem
NcaSvc  Network Connectivity Assistant  svchost.exe  10.0.18362.1  Share Process  Stopped  LocalSystem
NcbService  Network Connection Broker  svchost.exe  10.0.18362.1  Unknown  Running  LocalSystem
NcdAutoSetup  Network Connected Devices Auto-Setup  svchost.exe  10.0.18362.1  Share Process  Stopped  NT AUTHORITY\LocalService
Netlogon  Netlogon  lsass.exe  10.0.18362.1  Share Process  Stopped  LocalSystem
Netman  Network Connections  svchost.exe  10.0.18362.1  Share Process  Stopped  LocalSystem
netprofm  Network List Service  svchost.exe  10.0.18362.1  Unknown  Running  NT AUTHORITY\LocalService
NetSetupSvc  Network Setup Service  svchost.exe  10.0.18362.1  Unknown  Stopped  LocalSystem
NetTcpPortSharing  Net.Tcp Port Sharing Service  SMSvcHost.exe  4.8.4121.0  Share Process  Stopped  NT AUTHORITY\LocalService
NgcCtnrSvc  Microsoft Passport Container  svchost.exe  10.0.18362.1  Unknown  Running  NT AUTHORITY\LocalService
NgcSvc  Microsoft Passport  svchost.exe  10.0.18362.1  Unknown  Running  LocalSystem
NlaSvc  Network Location Awareness  svchost.exe  10.0.18362.1  Unknown  Running  NT AUTHORITY\NetworkService
nsi  Network Store Interface Service  svchost.exe  10.0.18362.1  Unknown  Running  NT Authority\LocalService
OneSyncSvc_4672ec  Sync Host_4672ec  svchost.exe  10.0.18362.1  Unknown  Running  
ose64  Office 64 Source Engine  OSE.EXE  16.0.12527.20240  Own Process  Stopped  LocalSystem
p2pimsvc  Peer Networking Identity Manager  svchost.exe  10.0.18362.1  Share Process  Stopped  NT AUTHORITY\LocalService
p2psvc  Peer Networking Grouping  svchost.exe  10.0.18362.1  Share Process  Stopped  NT AUTHORITY\LocalService
PcaSvc  Program Compatibility Assistant Service  svchost.exe  10.0.18362.1  Unknown  Running  LocalSystem
perceptionsimulation  Windows Perception Simulation Service  PerceptionSimulationService.exe  10.0.18362.1  Own Process  Stopped  LocalSystem
PerfHost  Performance Counter DLL Host  perfhost.exe  10.0.18362.1  Own Process  Stopped  NT AUTHORITY\LocalService
PhoneSvc  Phone Service  svchost.exe  10.0.18362.1  Share Process  Stopped  NT Authority\LocalService
PimIndexMaintenanceSvc_4672ec  Contact Data_4672ec  svchost.exe  10.0.18362.1  Unknown  Stopped  
pla  Performance Logs & Alerts  svchost.exe  10.0.18362.1  Share Process  Stopped  NT AUTHORITY\LocalService
PlatformMgrService  PlatformMgrService  PlatformMgrService.exe  1.1.1910.702  Own Process  Running  LocalSystem
PlugPlay  Plug and Play  svchost.exe  10.0.18362.1  Unknown  Running  LocalSystem
PNRPAutoReg  PNRP Machine Name Publication Service  svchost.exe  10.0.18362.1  Share Process  Stopped  NT AUTHORITY\LocalService
PNRPsvc  Peer Name Resolution Protocol  svchost.exe  10.0.18362.1  Share Process  Stopped  NT AUTHORITY\LocalService
PolicyAgent  IPsec Policy Agent  svchost.exe  10.0.18362.1  Share Process  Stopped  NT Authority\NetworkService
Power  Power  svchost.exe  10.0.18362.1  Share Process  Running  LocalSystem
PrintNotify  Printer Extensions and Notifications  svchost.exe  10.0.18362.1  Share Process  Stopped  LocalSystem
PrintWorkflowUserSvc_4672ec  PrintWorkflow_4672ec  svchost.exe  10.0.18362.1  Unknown  Stopped  
ProfSvc  User Profile Service  svchost.exe  10.0.18362.1  Unknown  Running  LocalSystem
PushToInstall  Windows PushToInstall Service  svchost.exe  10.0.18362.1  Unknown  Stopped  LocalSystem
QPCore  QPCore Service  QQProtect.exe  4.5.0.9406  Own Process  Running  LocalSystem
QWAVE  Quality Windows Audio Video Experience  svchost.exe  10.0.18362.1  Share Process  Stopped  NT AUTHORITY\LocalService
RasAuto  Remote Access Auto Connection Manager  svchost.exe  10.0.18362.1  Share Process  Stopped  localSystem
RasMan  Remote Access Connection Manager  svchost.exe  10.0.18362.1  Share Process  Running  localSystem
RemoteAccess  Routing and Remote Access  svchost.exe  10.0.18362.1  Share Process  Stopped  localSystem
RemoteRegistry  Remote Registry  svchost.exe  10.0.18362.1  Share Process  Stopped  NT AUTHORITY\LocalService
RetailDemo  Retail Demo Service  svchost.exe  10.0.18362.1  Share Process  Stopped  LocalSystem
RmSvc  Radio Management Service  svchost.exe  10.0.18362.1  Unknown  Running  NT AUTHORITY\LocalService
RpcEptMapper  RPC Endpoint Mapper  svchost.exe  10.0.18362.1  Share Process  Running  NT AUTHORITY\NetworkService
RpcLocator  Remote Procedure Call (RPC) Locator  locator.exe  10.0.18362.1  Own Process  Stopped  NT AUTHORITY\NetworkService
RpcSs  Remote Procedure Call (RPC)  svchost.exe  10.0.18362.1  Share Process  Running  NT AUTHORITY\NetworkService
SamSs  Security Accounts Manager  lsass.exe  10.0.18362.1  Share Process  Running  LocalSystem
SAService  Conexant SmartAudio service  SASrv.exe  1.0.10.0  Own Process  Running  LocalSystem
SCardSvr  Smart Card  svchost.exe  10.0.18362.1  Share Process  Stopped  NT AUTHORITY\LocalService
ScDeviceEnum  Smart Card Device Enumeration Service  svchost.exe  10.0.18362.1  Share Process  Stopped  LocalSystem
Schedule  Task Scheduler  svchost.exe  10.0.18362.1  Unknown  Running  LocalSystem
SCPolicySvc  Smart Card Removal Policy  svchost.exe  10.0.18362.1  Share Process  Stopped  LocalSystem
SDRSVC  Windows Backup  svchost.exe  10.0.18362.1  Own Process  Stopped  localSystem
seclogon  Secondary Logon  svchost.exe  10.0.18362.1  Share Process  Stopped  LocalSystem
SecurityHealthService  Windows Security Service  SecurityHealthService.exe  4.18.1901.16384  Own Process  Running  LocalSystem
SEMgrSvc  Payments and NFC/SE Manager  svchost.exe  10.0.18362.1  Own Process  Running  NT AUTHORITY\LocalService
SENS  System Event Notification Service  svchost.exe  10.0.18362.1  Unknown  Running  LocalSystem
SensorDataService  Sensor Data Service  SensorDataService.exe  10.0.18362.1  Own Process  Stopped  LocalSystem
SensorService  Sensor Service  svchost.exe  10.0.18362.1  Share Process  Stopped  LocalSystem
SensrSvc  Sensor Monitoring Service  svchost.exe  10.0.18362.1  Share Process  Stopped  NT AUTHORITY\LocalService
SessionEnv  Remote Desktop Configuration  svchost.exe  10.0.18362.1  Share Process  Stopped  localSystem
SessionSvc  Session Detection  SessionService.exe    Own Process  Running  LocalSystem
SgrmBroker  System Guard Runtime Monitor Broker  SgrmBroker.exe  10.0.18362.1  Own Process  Running  LocalSystem
SharedAccess  Internet Connection Sharing (ICS)  svchost.exe  10.0.18362.1  Share Process  Stopped  LocalSystem
SharedRealitySvc  Spatial Data Service  svchost.exe  10.0.18362.1  Share Process  Stopped  NT AUTHORITY\LocalService
ShellHWDetection  Shell Hardware Detection  svchost.exe  10.0.18362.1  Unknown  Running  LocalSystem
shpamsvc  Shared PC Account Manager  svchost.exe  10.0.18362.1  Share Process  Stopped  LocalSystem
smphost  Microsoft Storage Spaces SMP  svchost.exe  10.0.18362.1  Own Process  Stopped  NT AUTHORITY\NetworkService
SmsRouter  Microsoft Windows SMS Router Service.  svchost.exe  10.0.18362.1  Unknown  Stopped  NT Authority\LocalService
SNMPTRAP  SNMP Trap  snmptrap.exe  10.0.18362.1  Own Process  Stopped  NT AUTHORITY\LocalService
spectrum  Windows Perception Service  spectrum.exe  10.0.18362.239  Own Process  Stopped  NT AUTHORITY\LocalService
Spooler  Print Spooler  spoolsv.exe  10.0.18362.476  Own Process  Running  LocalSystem
sppsvc  Software Protection  sppsvc.exe  10.0.18362.720  Own Process  Running  NT AUTHORITY\NetworkService
SSDPSRV  SSDP Discovery  svchost.exe  10.0.18362.1  Unknown  Running  NT AUTHORITY\LocalService
ssh-agent  OpenSSH Authentication Agent  ssh-agent.exe  7.7.2.1  Own Process  Stopped  LocalSystem
SstpSvc  Secure Socket Tunneling Protocol Service  svchost.exe  10.0.18362.1  Unknown  Running  NT Authority\LocalService
StateRepository  State Repository Service  svchost.exe  10.0.18362.1  Unknown  Running  LocalSystem
stisvc  Windows Image Acquisition (WIA)  svchost.exe  10.0.18362.1  Own Process  Stopped  NT Authority\LocalService
StorSvc  Storage Service  svchost.exe  10.0.18362.1  Unknown  Running  LocalSystem
svsvc  Spot Verifier  svchost.exe  10.0.18362.1  Share Process  Stopped  LocalSystem
swprv  Microsoft Software Shadow Copy Provider  svchost.exe  10.0.18362.1  Own Process  Stopped  LocalSystem
SynaAssist  SynaAssist Service  SynaAssist64.exe  1.0.0.2  Own Process  Stopped  LocalSystem
SysMain  SysMain  svchost.exe  10.0.18362.1  Unknown  Running  LocalSystem
SystemEventsBroker  System Events Broker  svchost.exe  10.0.18362.1  Share Process  Running  LocalSystem
TabletInputService  Touch Keyboard and Handwriting Panel Service  svchost.exe  10.0.18362.1  Unknown  Running  LocalSystem
TapiSrv  Telephony  svchost.exe  10.0.18362.1  Share Process  Stopped  NT AUTHORITY\NetworkService
TbtHostControllerService  Thunderbolt(TM) Application Launcher  ThunderboltService.exe  1.41.648.5  Own Process  Running  LocalSystem
TermService  Remote Desktop Services  svchost.exe  10.0.18362.1  Share Process  Stopped  NT Authority\NetworkService
Themes  Themes  svchost.exe  10.0.18362.1  Unknown  Running  LocalSystem
TieringEngineService  Storage Tiers Management  TieringEngineService.exe  10.0.18362.1  Own Process  Stopped  localSystem
TimeBrokerSvc  Time Broker  svchost.exe  10.0.18362.1  Unknown  Running  NT AUTHORITY\LocalService
TokenBroker  Web Account Manager  svchost.exe  10.0.18362.1  Unknown  Running  LocalSystem
TrkWks  Distributed Link Tracking Client  svchost.exe  10.0.18362.1  Unknown  Running  LocalSystem
TroubleshootingSvc  Recommended Troubleshooting Service  svchost.exe  10.0.18362.1  Share Process  Stopped  LocalSystem
TrustedInstaller  Windows Modules Installer  TrustedInstaller.exe  10.0.18362.719  Own Process  Stopped  localSystem
tzautoupdate  Auto Time Zone Updater  svchost.exe  10.0.18362.1  Share Process  Stopped  NT AUTHORITY\LocalService
UmRdpService  Remote Desktop Services UserMode Port Redirector  svchost.exe  10.0.18362.1  Share Process  Stopped  localSystem
UnistoreSvc_4672ec  User Data Storage_4672ec  svchost.exe  10.0.18362.1  Unknown  Stopped  
upnphost  UPnP Device Host  svchost.exe  10.0.18362.1  Share Process  Stopped  NT AUTHORITY\LocalService
UserDataSvc_4672ec  User Data Access_4672ec  svchost.exe  10.0.18362.1  Unknown  Stopped  
UserManager  User Manager  svchost.exe  10.0.18362.1  Unknown  Running  LocalSystem
UsoSvc  Update Orchestrator Service  svchost.exe  10.0.18362.1  Unknown  Running  LocalSystem
VacSvc  Volumetric Audio Compositor Service  svchost.exe  10.0.18362.1  Own Process  Stopped  NT AUTHORITY\LocalService
VaultSvc  Credential Manager  lsass.exe  10.0.18362.1  Share Process  Running  LocalSystem
vds  Virtual Disk  vds.exe  10.0.18362.267  Own Process  Stopped  LocalSystem
vmicguestinterface  Hyper-V Guest Service Interface  svchost.exe  10.0.18362.1  Share Process  Stopped  LocalSystem
vmicheartbeat  Hyper-V Heartbeat Service  svchost.exe  10.0.18362.1  Share Process  Stopped  LocalSystem
vmickvpexchange  Hyper-V Data Exchange Service  svchost.exe  10.0.18362.1  Share Process  Stopped  LocalSystem
vmicrdv  Hyper-V Remote Desktop Virtualization Service  svchost.exe  10.0.18362.1  Share Process  Stopped  LocalSystem
vmicshutdown  Hyper-V Guest Shutdown Service  svchost.exe  10.0.18362.1  Share Process  Stopped  LocalSystem
vmictimesync  Hyper-V Time Synchronization Service  svchost.exe  10.0.18362.1  Share Process  Stopped  NT AUTHORITY\LocalService
vmicvmsession  Hyper-V PowerShell Direct Service  svchost.exe  10.0.18362.1  Share Process  Stopped  LocalSystem
vmicvss  Hyper-V Volume Shadow Copy Requestor  svchost.exe  10.0.18362.1  Share Process  Stopped  LocalSystem
VSS  Volume Shadow Copy  vssvc.exe  10.0.18362.1  Own Process  Stopped  LocalSystem
W32Time  Windows Time  svchost.exe  10.0.18362.1  Share Process  Stopped  NT AUTHORITY\LocalService
WaaSMedicSvc  Windows Update Medic Service  svchost.exe  10.0.18362.1  Unknown  Stopped  LocalSystem
WalletService  WalletService  svchost.exe  10.0.18362.1  Share Process  Stopped  LocalSystem
WarpJITSvc  WarpJITSvc  svchost.exe  10.0.18362.1  Own Process  Stopped  NT Authority\LocalService
wbengine  Block Level Backup Engine Service  wbengine.exe  10.0.18362.657  Own Process  Stopped  localSystem
WbioSrvc  Windows Biometric Service  svchost.exe  10.0.18362.1  Unknown  Running  LocalSystem
Wcmsvc  Windows Connection Manager  svchost.exe  10.0.18362.1  Own Process  Running  NT Authority\LocalService
wcncsvc  Windows Connect Now - Config Registrar  svchost.exe  10.0.18362.1  Share Process  Stopped  NT AUTHORITY\LocalService
WdiServiceHost  Diagnostic Service Host  svchost.exe  10.0.18362.1  Unknown  Running  NT AUTHORITY\LocalService
WdiSystemHost  Diagnostic System Host  svchost.exe  10.0.18362.1  Unknown  Running  LocalSystem
WdNisSvc  Windows Defender Antivirus Network Inspection Service  NisSrv.exe  4.18.2001.10  Own Process  Running  NT AUTHORITY\LocalService
WebClient  WebClient  svchost.exe  10.0.18362.1  Share Process  Stopped  NT AUTHORITY\LocalService
Wecsvc  Windows Event Collector  svchost.exe  10.0.18362.1  Share Process  Stopped  NT AUTHORITY\NetworkService
WEPHOSTSVC  Windows Encryption Provider Host Service  svchost.exe  10.0.18362.1  Share Process  Stopped  NT AUTHORITY\LocalService
wercplsupport  Problem Reports and Solutions Control Panel Support  svchost.exe  10.0.18362.1  Share Process  Stopped  localSystem
WerSvc  Windows Error Reporting Service  svchost.exe  10.0.18362.1  Own Process  Stopped  localSystem
WFDSConMgrSvc  Wi-Fi Direct Services Connection Manager Service  svchost.exe  10.0.18362.1  Unknown  Stopped  NT AUTHORITY\LocalService
WiaRpc  Still Image Acquisition Events  svchost.exe  10.0.18362.1  Share Process  Stopped  LocalSystem
WinDefend  Windows Defender Antivirus Service  MsMpEng.exe  4.18.2001.10  Own Process  Running  LocalSystem
WinHttpAutoProxySvc  WinHTTP Web Proxy Auto-Discovery Service  svchost.exe  10.0.18362.1  Unknown  Running  NT AUTHORITY\LocalService
Winmgmt  Windows Management Instrumentation  svchost.exe  10.0.18362.1  Unknown  Running  localSystem
WinRM  Windows Remote Management (WS-Management)  svchost.exe  10.0.18362.1  Share Process  Stopped  NT AUTHORITY\NetworkService
wisvc  Windows Insider Service  svchost.exe  10.0.18362.1  Unknown  Stopped  LocalSystem
WlanSvc  WLAN AutoConfig  svchost.exe  10.0.18362.1  Own Process  Running  LocalSystem
wlidsvc  Microsoft Account Sign-in Assistant  svchost.exe  10.0.18362.1  Unknown  Stopped  LocalSystem
wlpasvc  Local Profile Assistant Service  svchost.exe  10.0.18362.1  Share Process  Stopped  NT Authority\LocalService
WManSvc  Windows Management Service  svchost.exe  10.0.18362.1  Share Process  Stopped  LocalSystem
wmiApSrv  WMI Performance Adapter  WmiApSrv.exe  10.0.18362.1  Own Process  Stopped  localSystem
WMPNetworkSvc  Windows Media Player Network Sharing Service  wmpnetwk.exe    Own Process  Stopped  NT AUTHORITY\NetworkService
workfolderssvc  Work Folders  svchost.exe  10.0.18362.1  Share Process  Stopped  NT AUTHORITY\LocalService
WpcMonSvc  Parental Controls  svchost.exe  10.0.18362.1  Own Process  Stopped  LocalSystem
WPDBusEnum  Portable Device Enumerator Service  svchost.exe  10.0.18362.1  Unknown  Stopped  LocalSystem
WpnService  Windows Push Notifications System Service  svchost.exe  10.0.18362.1  Unknown  Running  LocalSystem
WpnUserService_4672ec  Windows Push Notifications User Service_4672ec  svchost.exe  10.0.18362.1  Unknown  Running  
wscsvc  Security Center  svchost.exe  10.0.18362.1  Unknown  Running  NT AUTHORITY\LocalService
WSearch  Windows Search  SearchIndexer.exe  7.0.18362.719  Own Process  Running  LocalSystem
wuauserv  Windows Update  svchost.exe  10.0.18362.1  Unknown  Stopped  LocalSystem
WwanSvc  WWAN AutoConfig  svchost.exe  10.0.18362.1  Share Process  Stopped  localSystem
XblAuthManager  Xbox Live Auth Manager  svchost.exe  10.0.18362.1  Share Process  Stopped  LocalSystem
XblGameSave  Xbox Live Game Save  svchost.exe  10.0.18362.1  Share Process  Stopped  LocalSystem
XboxGipSvc  Xbox Accessory Management Service  svchost.exe  10.0.18362.1  Share Process  Stopped  LocalSystem
XboxNetApiSvc  Xbox Live Networking Service  svchost.exe  10.0.18362.1  Share Process  Stopped  LocalSystem


AX Files

 
AX File  Version  Description
bdaplgin.ax  10.0.18362.1  Microsoft BDA Device Control Plug-in for MPEG2 based networks.
g711codc.ax  10.0.18362.1  Intel G711 CODEC
iac25_32.ax  2.0.5.53  Indeo® audio software
ir41_32.ax  10.0.18362.1  IR41_32 WRAPPER DLL
ivfsrc.ax  5.10.2.51  Intel Indeo® video IVF Source Filter 5.10
ksproxy.ax  10.0.18362.1  WDM Streaming ActiveMovie Proxy
kstvtune.ax  10.0.18362.1  WDM Streaming TvTuner
kswdmcap.ax  10.0.18362.1  WDM Streaming Video Capture
ksxbar.ax  10.0.18362.1  WDM Streaming Crossbar
mpeg2data.ax  10.0.18362.1  Microsoft MPEG-2 Section and Table Acquisition Module
mpg2splt.ax  10.0.18362.1  DirectShow MPEG-2 Splitter.
msdvbnp.ax  10.0.18362.1  Microsoft Network Provider for MPEG2 based networks.
msnp.ax  10.0.18362.1  Microsoft Network Provider for MPEG2 based networks.
psisrndr.ax  10.0.18362.1  Microsoft Transport Information Filter for MPEG2 based networks.
vbicodec.ax  10.0.18362.1  Microsoft VBI Codec
vbisurf.ax  10.0.18362.1  VBI Surface Allocator Filter
vidcap.ax  10.0.18362.1  Video Capture Interface Server
wstpager.ax  10.0.18362.1  Microsoft Teletext Server


DLL Files

 
DLL File  Version  Description
aadauthhelper.dll  10.0.18362.1  Microsoft® AAD Auth Helper
aadtb.dll  10.0.18362.113  AAD Token Broker Helper Library
aadwamextension.dll  10.0.18362.1  AAD WAM extension DLL
abovelockapphost.dll  10.0.18362.1  AboveLockAppHost
accessibilitycpl.dll  10.0.18362.449  Ease of access control panel
accountaccessor.dll  10.0.18362.1  Sync data model to access accounts
accountsrt.dll  10.0.18362.1  Accounts RT utilities for mail, contacts, calendar
acgenral.dll  10.0.18362.449  Windows Compatibility DLL
aclayers.dll  10.0.18362.449  Windows Compatibility DLL
acledit.dll  10.0.18362.1  Access Control List Editor
aclui.dll  10.0.18362.1  Security Descriptor Editor
acppage.dll  10.0.18362.1  Compatibility Tab Shell Extension Library
acspecfc.dll  10.0.18362.207  Windows Compatibility DLL
actioncenter.dll  10.0.18362.1  Security and Maintenance
actioncentercpl.dll  10.0.18362.1  Security and Maintenance Control Panel
activationclient.dll  10.0.18362.1  Activation Client
activationmanager.dll  10.0.18362.693  Activation Manager
activeds.dll  10.0.18362.1  ADs Router Layer DLL
activesyncprovider.dll  10.0.18362.1  The engine that syncs ActiveSync accounts
actxprxy.dll  10.0.18362.329  ActiveX Interface Marshaling Library
acwinrt.dll  10.0.18362.1  Windows Compatibility DLL
acwow64.dll  10.0.18362.1  Windows Compatibility for 32bit Apps on Win64
acxtrnal.dll  10.0.18362.449  Windows Compatibility DLL
adaptivecards.dll  10.0.18362.1  Windows Adaptive Cards API Server
addressparser.dll  10.0.18362.1  ADDRESSPARSER
adprovider.dll  10.0.18362.1  adprovider DLL
adsldp.dll  10.0.18362.1  ADs LDAP Provider DLL
adsldpc.dll  10.0.18362.1  ADs LDAP Provider C DLL
adsmsext.dll  10.0.18362.1  ADs LDAP Provider DLL
adsnt.dll  10.0.18362.1  ADs Windows NT Provider DLL
adtschema.dll  10.0.18362.1  Security Audit Schema DLL
advapi32.dll  10.0.18362.329  Advanced Windows 32 Base API
advapi32res.dll  10.0.18362.1  Advanced Windows 32 Base API
advpack.dll  11.0.18362.1  ADVPACK
aeevts.dll  10.0.18362.1  Application Experience Event Resources
aepic.dll  10.0.18362.1023  Application Experience Program Cache
altspace.dll  10.0.18362.1  
amsi.dll  10.0.18362.1  Anti-Malware Scan Interface
amstream.dll  10.0.18362.1  DirectShow Runtime.
analogcommonproxystub.dll  10.0.18362.1  Analog Common Proxy Stub
apds.dll  10.0.18362.1  Microsoft® Help Data Services Module
aphostclient.dll  10.0.18362.1  Accounts Host Service RPC Client
api-ms-win-core-console-l1-1-0.dll  10.0.10137.0  ApiSet Stub DLL
api-ms-win-core-datetime-l1-1-0.dll  10.0.10137.0  ApiSet Stub DLL
api-ms-win-core-debug-l1-1-0.dll  10.0.10137.0  ApiSet Stub DLL
api-ms-win-core-errorhandling-l1-1-0.dll  10.0.10137.0  ApiSet Stub DLL
api-ms-win-core-file-l1-1-0.dll  10.0.10137.0  ApiSet Stub DLL
api-ms-win-core-file-l1-2-0.dll  10.0.10137.0  ApiSet Stub DLL
api-ms-win-core-file-l2-1-0.dll  10.0.10137.0  ApiSet Stub DLL
api-ms-win-core-handle-l1-1-0.dll  10.0.10137.0  ApiSet Stub DLL
api-ms-win-core-heap-l1-1-0.dll  10.0.10137.0  ApiSet Stub DLL
api-ms-win-core-interlocked-l1-1-0.dll  10.0.10137.0  ApiSet Stub DLL
api-ms-win-core-libraryloader-l1-1-0.dll  10.0.10137.0  ApiSet Stub DLL
api-ms-win-core-localization-l1-2-0.dll  10.0.10137.0  ApiSet Stub DLL
api-ms-win-core-memory-l1-1-0.dll  10.0.10137.0  ApiSet Stub DLL
api-ms-win-core-namedpipe-l1-1-0.dll  10.0.10137.0  ApiSet Stub DLL
api-ms-win-core-processenvironment-l1-1-0.dll  10.0.10137.0  ApiSet Stub DLL
api-ms-win-core-processthreads-l1-1-0.dll  10.0.10137.0  ApiSet Stub DLL
api-ms-win-core-processthreads-l1-1-1.dll  10.0.10137.0  ApiSet Stub DLL
api-ms-win-core-profile-l1-1-0.dll  10.0.10137.0  ApiSet Stub DLL
api-ms-win-core-rtlsupport-l1-1-0.dll  10.0.10137.0  ApiSet Stub DLL
api-ms-win-core-string-l1-1-0.dll  10.0.10137.0  ApiSet Stub DLL
api-ms-win-core-synch-l1-1-0.dll  10.0.10137.0  ApiSet Stub DLL
api-ms-win-core-synch-l1-2-0.dll  10.0.10137.0  ApiSet Stub DLL
api-ms-win-core-sysinfo-l1-1-0.dll  10.0.10137.0  ApiSet Stub DLL
api-ms-win-core-timezone-l1-1-0.dll  10.0.10137.0  ApiSet Stub DLL
api-ms-win-core-util-l1-1-0.dll  10.0.10137.0  ApiSet Stub DLL
api-ms-win-crt-convert-l1-1-0.dll  10.0.10137.0  ApiSet Stub DLL
api-ms-win-crt-environment-l1-1-0.dll  10.0.10137.0  ApiSet Stub DLL
api-ms-win-crt-filesystem-l1-1-0.dll  10.0.10137.0  ApiSet Stub DLL
api-ms-win-crt-heap-l1-1-0.dll  10.0.10137.0  ApiSet Stub DLL
api-ms-win-crt-locale-l1-1-0.dll  10.0.10137.0  ApiSet Stub DLL
api-ms-win-crt-math-l1-1-0.dll  10.0.10137.0  ApiSet Stub DLL
api-ms-win-crt-multibyte-l1-1-0.dll  10.0.10137.0  ApiSet Stub DLL
api-ms-win-crt-runtime-l1-1-0.dll  10.0.10137.0  ApiSet Stub DLL
api-ms-win-crt-stdio-l1-1-0.dll  10.0.10137.0  ApiSet Stub DLL
api-ms-win-crt-string-l1-1-0.dll  10.0.10137.0  ApiSet Stub DLL
api-ms-win-crt-time-l1-1-0.dll  10.0.10137.0  ApiSet Stub DLL
api-ms-win-crt-utility-l1-1-0.dll  10.0.10137.0  ApiSet Stub DLL
apisethost.appexecutionalias.dll  10.0.18362.476  ApiSetHost.AppExecutionAlias
appcontracts.dll  10.0.18362.1  Windows AppContracts API Server
appextension.dll  10.0.18362.1  AppExtension API
apphelp.dll  10.0.18362.1  Application Compatibility Client Library
apphlpdm.dll  10.0.18362.1  Application Compatibility Help Module
appidapi.dll  10.0.18362.1  Application Identity APIs Dll
appinstallerprompt.desktop.dll  10.0.18362.1  AppInstaller Prompt Desktop
applockercsp.dll  10.0.18362.1  AppLockerCSP
appointmentactivation.dll  10.0.18362.1  DLL for AppointmentActivation
appointmentapis.dll  10.0.18362.1  DLL for CalendarRT
apprepapi.dll  10.0.18362.1  Application Reputation APIs Dll
appresolver.dll  10.0.18362.356  App Resolver
appxalluserstore.dll  10.0.18362.719  AppX All User Store DLL
appxapplicabilityengine.dll  10.0.18362.1  AppX Applicability Engine
appxdeploymentclient.dll  10.0.18362.719  AppX Deployment Client DLL
appxpackaging.dll  10.0.18362.295  Native Code Appx Packaging Library
appxsip.dll  10.0.18362.1  Appx Subject Interface Package
archiveint.dll  3.3.2.0  Windows-internal libarchive library
asferror.dll  12.0.18362.1  ASF Error Definitions
aspnet_counters.dll  4.8.3752.0  Microsoft ASP.NET Performance Counter Shim DLL
assignedaccessruntime.dll  10.0.18362.387  AssignedAccessRuntime
asycfilt.dll  10.0.18362.693  ASYCFILT.DLL
atl.dll  3.5.2284.0  ATL Module for Windows XP (Unicode)
atl100.dll  10.0.40219.325  ATL Module for Windows
atl110.dll  11.0.60610.1  ATL Module for Windows
atlthunk.dll  10.0.18362.1  atlthunk.dll
atmlib.dll  5.1.2.254  Windows NT OpenType/Type 1 API Library.
audiodev.dll  10.0.18362.1  Portable Media Devices Shell Extension
audioeng.dll  10.0.18362.628  Audio Engine
audiokse.dll  10.0.18362.628  Audio Ks Endpoint
audioses.dll  10.0.18362.628  Audio Session
auditpolcore.dll  10.0.18362.1  Audit Policy Program
authbroker.dll  10.0.18362.1  Web Authentication WinRT API
authbrokerui.dll  10.0.18362.1  AuthBroker UI
authext.dll  10.0.18362.1  Authentication Extensions
authfwcfg.dll  10.0.18362.1  Windows Defender Firewall with Advanced Security Configuration Helper
authfwgp.dll  10.0.18362.1  Windows Defender Firewall with Advanced Security Group Policy Editor Extension
authfwsnapin.dll  10.0.18362.1  Microsoft.WindowsFirewall.SnapIn
authfwwizfwk.dll  10.0.18362.1  Wizard Framework
authui.dll  10.0.18362.1  Windows Authentication UI
authz.dll  10.0.18362.1  Authorization Framework
autoplay.dll  10.0.18362.1  AutoPlay Control Panel
avicap32.dll  10.0.18362.1  AVI Capture window class
avifil32.dll  10.0.18362.1  Microsoft AVI File support library
avrt.dll  10.0.18362.1  Multimedia Realtime Runtime
azroles.dll  10.0.18362.1  azroles Module
azroleui.dll  10.0.18362.1  Authorization Manager
azsqlext.dll  10.0.18362.1  AzMan Sql Audit Extended Stored Procedures Dll
azuresettingsyncprovider.dll  10.0.18362.1  Azure Setting Sync Provider
backgroundmediapolicy.dll  10.0.18362.1  <d> Background Media Policy DLL
bamsettingsclient.dll  10.0.18362.1  Background Activity Moderator Settings Client
basecsp.dll  10.0.18362.1  Microsoft Base Smart Card Crypto Provider
batmeter.dll  10.0.18362.1  Battery Meter Helper DLL
bcastdvr.proxy.dll  10.0.18362.1  Broadcast DVR Proxy
bcastdvrbroker.dll  10.0.18362.1  Windows Runtime BcastDVRBroker DLL
bcastdvrclient.dll  10.0.18362.1  Windows Runtime BcastDVRClient DLL
bcastdvrcommon.dll  10.0.18362.1  Windows Runtime BcastDVRCommon DLL
bcd.dll  10.0.18362.1  BCD DLL
bcp47langs.dll  10.0.18362.657  BCP47 Language Classes
bcp47mrm.dll  10.0.18362.657  BCP47 Language Classes for Resource Management
bcrypt.dll  10.0.18362.267  Windows Cryptographic Primitives Library
bcryptprimitives.dll  10.0.18362.295  Windows Cryptographic Primitives Library
bidispl.dll  10.0.18362.1  Bidispl DLL
bingmaps.dll  10.0.18362.1  Bing Map Control
bingonlineservices.dll  10.0.18362.1  Bing online services
biocredprov.dll  10.0.18362.1  WinBio Credential Provider
bitlockercsp.dll  10.0.18362.329  BitLockerCSP
bitsperf.dll  7.8.18362.1  Perfmon Counter Access
bitsproxy.dll  7.8.18362.1  Background Intelligent Transfer Service Proxy
biwinrt.dll  10.0.18362.1  Windows Background Broker Infrastructure
bluetoothapis.dll  10.0.18362.1  Bluetooth Usermode Api host
bootvid.dll  10.0.18362.1  VGA Boot Driver
browcli.dll  10.0.18362.1  Browser Service Client DLL
browsersettingsync.dll  10.0.18362.1  Browser Setting Synchronization
browseui.dll  10.0.18362.1  Shell Browser UI Library
btagservice.dll  10.0.18362.449  Bluetooth Audio Gateway Service
bthtelemetry.dll  10.0.18362.1  Bluetooth Telemetry Agent
btpanui.dll  10.0.18362.1  Bluetooth PAN User Interface
bwcontexthandler.dll  1.0.0.1  ContextH Application
c_g18030.dll  10.0.18362.1  GB18030 DBCS-Unicode Conversion DLL
c_gsm7.dll  10.0.18362.1  GSM 7bit Code Page Translation DLL for SMS
c_is2022.dll  10.0.18362.1  ISO-2022 Code Page Translation DLL
c_iscii.dll  10.0.18362.1  ISCII Code Page Translation DLL
cabapi.dll  10.0.18362.1  Mobile Cabinet Library
cabinet.dll  5.0.1.1  Microsoft® Cabinet File API
cabview.dll  10.0.18362.1  Cabinet File Viewer Shell Extension
callbuttons.dll  10.0.18362.1  Windows Runtime CallButtonsServer DLL
callbuttons.proxystub.dll  10.0.18362.1  Windows Runtime CallButtonsServer ProxyStub DLL
callhistoryclient.dll  10.0.18362.1  Client DLL for accessing CallHistory information
cameracaptureui.dll  10.0.18362.1  Microsoft® Windows® Operating System
canonurl.dll  10.0.18362.1  CanonUrl
capabilityaccessmanagerclient.dll  10.0.18362.1  Capability Access Manager Client
capauthz.dll  10.0.18362.1  Capability Authorization APIs
capiprovider.dll  10.0.18362.1  capiprovider DLL
capisp.dll  10.0.18362.1  Sysprep cleanup dll for CAPI
castingshellext.dll  10.0.18362.1  Casting Shell Extensions
catsrv.dll  2001.12.10941.16384  COM+ Configuration Catalog Server
catsrvps.dll  2001.12.10941.16384  COM+ Configuration Catalog Server Proxy/Stub
catsrvut.dll  2001.12.10941.16384  COM+ Configuration Catalog Server Utilities
cca.dll  10.0.18362.1  CCA DirectShow Filter.
cdosys.dll  6.6.18362.1  Microsoft CDO for Windows Library
cdp.dll  10.0.18362.657  Microsoft (R) CDP Client API
cdprt.dll  10.0.18362.1  Microsoft (R) CDP Client WinRT API
cemapi.dll  10.0.18362.1  CEMAPI
certca.dll  10.0.18362.1  Microsoft® Active Directory Certificate Services CA
certcli.dll  10.0.18362.1  Microsoft® Active Directory Certificate Services Client
certcredprovider.dll  10.0.18362.1  Cert Credential Provider
certenc.dll  10.0.18362.1  Active Directory Certificate Services Encoding
certenroll.dll  10.0.18362.387  Microsoft® Active Directory Certificate Services Enrollment Client
certenrollui.dll  10.0.18362.1  X509 Certificate Enrollment UI
certmgr.dll  10.0.18362.1  Certificates snap-in
certpkicmdlet.dll  10.0.18362.1  Microsoft® PKI Client Cmdlets
certpoleng.dll  10.0.18362.1  Certificate Policy Engine
cewmdm.dll  12.0.18362.1  Windows CE WMDM Service Provider
cfgbkend.dll  10.0.18362.1  Configuration Backend Interface
cfgmgr32.dll  10.0.18362.387  Configuration Manager DLL
cfmifs.dll  10.0.18362.1  FmIfs Engine
cfmifsproxy.dll  10.0.18362.1  Microsoft® FmIfs Proxy Library
chakra.dll  11.0.18362.719  Microsoft ® Chakra (Private)
chakradiag.dll  11.0.18362.719  Microsoft ® Chakra Diagnostics (Private)
chakrathunk.dll  10.0.18362.719  chakrathunk.dll
chartv.dll  10.0.18362.1  Chart View
chatapis.dll  10.0.18362.1  DLL for ChatRT
chxreadingstringime.dll  10.0.18362.1  CHxReadingStringIME
cic.dll  10.0.18362.1  CIC - MMC controls for Taskpad
clb.dll  10.0.18362.1  Column List Box
clbcatq.dll  2001.12.10941.16384  COM+ Configuration Catalog
cldapi.dll  10.0.18362.1  Cloud API user mode API
clfsw32.dll  10.0.18362.592  Common Log Marshalling Win32 DLL
cliconfg.dll  10.0.18362.1  SQL Client Configuration Utility DLL
clipboardserver.dll  10.0.18362.1  Modern Clipboard API Server
clipc.dll  10.0.18362.1  Client Licensing Platform Client
cloudexperiencehostcommon.dll  10.0.18362.535  CloudExperienceHostCommon
cloudexperiencehostuser.dll  10.0.18362.1  CloudExperienceHost User Operations
clrhost.dll  10.0.18362.1  In Proc server for managed servers in the Windows Runtime
clusapi.dll  10.0.18362.628  Cluster API Library
cmcfg32.dll  7.2.18362.1  Microsoft Connection Manager Configuration Dll
cmdext.dll  10.0.18362.1  cmd.exe Extension DLL
cmdial32.dll  7.2.18362.1  Microsoft Connection Manager
cmgrcspps.dll  10.0.18362.1  cmgrcspps
cmifw.dll  10.0.18362.1  Windows Defender Firewall rule configuration plug-in
cmintegrator.dll  10.0.18362.267  cmintegrator.dll
cmlua.dll  7.2.18362.1  Connection Manager Admin API Helper
cmpbk32.dll  7.2.18362.1  Microsoft Connection Manager Phonebook
cmstplua.dll  7.2.18362.1  Connection Manager Admin API Helper for Setup
cmutil.dll  7.2.18362.1  Microsoft Connection Manager Utility Lib
cngcredui.dll  10.0.18362.1  Microsoft CNG CredUI Provider
cngprovider.dll  10.0.18362.1  cngprovider DLL
cnvfat.dll  10.0.18362.1  FAT File System Conversion Utility DLL
colbact.dll  2001.12.10941.16384  COM+
coloradapterclient.dll  10.0.18362.267  Microsoft Color Adapter Client
colorcnv.dll  10.0.18362.1  Windows Media Color Conversion
colorui.dll  10.0.18362.1  Microsoft Color Control Panel
combase.dll  10.0.18362.693  Microsoft COM for Windows
comcat.dll  10.0.18362.1  Microsoft Component Category Manager Library
comctl32.dll  5.82.18362.720  User Experience Controls Library
comdlg32.dll  10.0.18362.693  Common Dialogs DLL
coml2.dll  10.0.18362.1  Microsoft COM for Windows
compobj.dll  3.10.0.103  Windows Win16 Application Launcher
composableshellproxystub.dll  10.0.18362.387  Composable Shell Shared Proxy Stub
comppkgsup.dll  10.0.18362.1  Component Package Support DLL
compstui.dll  10.0.18362.628  Common Property Sheet User Interface DLL
comrepl.dll  2001.12.10941.16384  COM+
comres.dll  2001.12.10941.16384  COM+ Resources
comsnap.dll  2001.12.10941.16384  COM+ Explorer MMC Snapin
comsvcs.dll  2001.12.10941.16384  COM+ Services
comuid.dll  2001.12.10941.16384  COM+ Explorer UI
concrt140.dll  14.16.27033.0  Microsoft® Concurrency Runtime Library
configureexpandedstorage.dll  10.0.18362.1  ConfigureExpandedStorage
connect.dll  10.0.18362.1  Get Connected Wizards
connectedaccountstate.dll  10.0.18362.1  ConnectedAccountState.dll
console.dll  10.0.18362.1  Control Panel Console Applet
consolelogon.dll  10.0.18362.1  Console Logon User Experience
contactactivation.dll  10.0.18362.1  DLL for ContactActivation
contactapis.dll  10.0.18362.1  DLL for ContactsRT
container.dll  10.0.18362.387  Windows Containers
contentdeliverymanager.utilities.dll  10.0.18362.329  ContentDeliveryManager.Utilities
coremessaging.dll  10.0.18362.1  Microsoft CoreMessaging Dll
coremmres.dll  10.0.18362.1  General Core Multimedia Resources
coreshellapi.dll  10.0.18362.1  CoreShellAPI
coreuicomponents.dll  10.0.18362.207  Microsoft Core UI Components Dll
cortana.persona.dll  10.0.18362.1  Cortana.Persona
cortanamapihelper.dll  10.0.18362.1  CortanaMapiHelper
cortanamapihelper.proxystub.dll  10.0.18362.1  CortanaMapiHelper.ProxyStub
cpfilters.dll  10.0.18362.720   PTFilter & Encypter/Decrypter Tagger Filters.
credprov2fahelper.dll  10.0.18362.1  Credential Provider 2FA Helper
credprovdatamodel.dll  10.0.18362.449  Cred Prov Data Model
credprovhelper.dll  10.0.18362.1  Credential Provider Helper
credprovhost.dll  10.0.18362.1  Credential Provider Framework Host
credprovs.dll  10.0.18362.1  Credential Providers
credprovslegacy.dll  10.0.18362.1  Credential Providers Legacy
credssp.dll  10.0.18362.1  Credential Delegation Security Package
credui.dll  10.0.18362.1  Credential Manager User Interface
crtdll.dll  4.0.1183.1  Microsoft C Runtime Library
crypt32.dll  10.0.18362.592  Crypto API32
cryptbase.dll  10.0.18362.1  Base cryptographic API DLL
cryptdlg.dll  10.0.18362.1  Microsoft Common Certificate Dialogs
cryptdll.dll  10.0.18362.113  Cryptography Manager
cryptext.dll  10.0.18362.1  Crypto Shell Extensions
cryptnet.dll  10.0.18362.1  Crypto Network Related API
cryptngc.dll  10.0.18362.329  Microsoft Passport API
cryptowinrt.dll  10.0.18362.1  Crypto WinRT Library
cryptsp.dll  10.0.18362.1  Cryptographic Service Provider API
crypttpmeksvc.dll  10.0.18362.1  Cryptographic TPM Endorsement Key Services
cryptui.dll  10.0.18362.476  Microsoft Trust UI Provider
cryptuiwizard.dll  10.0.18362.1  Microsoft Trust UI Provider
cryptxml.dll  10.0.18362.1  XML DigSig API
cscapi.dll  10.0.18362.1  Offline Files Win32 API
cscdll.dll  10.0.18362.1  Offline Files Temporary Shim
ctl3d32.dll  2.31.0.0  Ctl3D 3D Windows Controls
d2d1.dll  10.0.18362.1  Microsoft D2D Library
d3d10.dll  10.0.18362.1  Direct3D 10 Runtime
d3d10_1.dll  10.0.18362.1  Direct3D 10.1 Runtime
d3d10_1core.dll  10.0.18362.1  Direct3D 10.1 Runtime
d3d10core.dll  10.0.18362.1  Direct3D 10 Runtime
d3d10level9.dll  10.0.18362.1  Direct3D 10 to Direct3D9 Translation Runtime
d3d10warp.dll  10.0.18362.356  Direct3D Rasterizer
d3d11.dll  10.0.18362.387  Direct3D 11 Runtime
d3d11on12.dll  10.0.18362.387  Direct3D 11On12 Runtime
d3d12.dll  10.0.18362.329  Direct3D 12 Runtime
d3d8.dll  10.0.18362.356  Microsoft Direct3D
d3d8thk.dll  10.0.18362.387  Microsoft Direct3D OS Thunk Layer
d3d9.dll  10.0.18362.387  Direct3D 9 Runtime
d3d9on12.dll  10.0.18362.387  Direct3D9 DDI to Direct3D12 API Mapping Layer
d3dcompiler_47.dll  10.0.18362.1  Direct3D HLSL Compiler
d3dim.dll  10.0.18362.1  Microsoft Direct3D
d3dim700.dll  10.0.18362.1  Microsoft Direct3D
d3dramp.dll  10.0.18362.1  Microsoft Direct3D
d3dscache.dll  10.0.18362.1  Microsoft (R) D3D Shader Caching Library
d3dxof.dll  10.0.18362.1  DirectX Files DLL
dabapi.dll  10.0.18362.1  Desktop Activity Broker API
dafprintprovider.dll  10.0.18362.628  DAF Print Provider DLL
daotpcredentialprovider.dll  10.0.18362.1  DirectAccess One-Time Password Credential Provider
dataclen.dll  10.0.18362.1  Disk Space Cleaner for Windows
dataexchange.dll  10.0.18362.1  Data exchange
davclnt.dll  10.0.18362.1  Web DAV Client DLL
davhlpr.dll  10.0.18362.1  DAV Helper DLL
davsyncprovider.dll  10.0.18362.329  DAV sync engine for contacts, calendar
daxexec.dll  10.0.18362.693  daxexec
dbgcore.dll  10.0.18362.1  Windows Core Debugging Helpers
dbgeng.dll  10.0.18362.1  Windows Symbolic Debugger Engine
dbghelp.dll  10.0.18362.1  Windows Image Helper
dbgmodel.dll  10.0.18362.1  Windows Debugger Data Model
dbnetlib.dll  10.0.18362.1  Winsock Oriented Net DLL for SQL Clients
dbnmpntw.dll  10.0.18362.1  Named Pipes Net DLL for SQL Clients
dciman32.dll  10.0.18362.535  DCI Manager
dcomp.dll  10.0.18362.387  Microsoft DirectComposition Library
ddaclsys.dll  10.0.18362.1  SysPrep module for Resetting Data Drive ACL
ddisplay.dll  10.0.18362.1  DirectDisplay
ddoiproxy.dll  10.0.18362.1  DDOI Interface Proxy
ddores.dll  10.0.18362.1  Device Category information and resources
ddraw.dll  10.0.18362.356  Microsoft DirectDraw
ddrawex.dll  10.0.18362.356  Direct Draw Ex
defaultdevicemanager.dll  10.0.18362.1  Default Device Manager
defaultprinterprovider.dll  10.0.18362.1  Microsoft Windows Default Printer Provider
delegatorprovider.dll  10.0.18362.1  WMI PassThru Provider for Storage Management
desktopshellappstatecontract.dll  10.0.18362.1  Desktop Switcher Data Model
devdispitemprovider.dll  10.0.18362.1  DeviceItem inproc devquery subsystem
devenum.dll  10.0.18362.1  Device enumeration.
deviceaccess.dll  10.0.18362.1  Device Broker And Policy COM Server
deviceassociation.dll  10.0.18362.1  Device Association Client DLL
devicecenter.dll  10.0.18362.329  Device Center
devicecredential.dll  10.0.18362.1  Microsoft Companion Authenticator Client
devicedisplaystatusmanager.dll  10.0.18362.1  Device Display Status Manager
deviceflows.datamodel.dll  10.0.18362.1  DeviceFlows DataModel
devicengccredprov.dll  10.0.18362.1  Microsoft Companion Authenticator Credential Provider
devicepairing.dll  10.0.18362.1  Shell extensions for Device Pairing
devicepairingfolder.dll  10.0.18362.1  Device Pairing Folder
devicepairingproxy.dll  10.0.18362.1  Device Pairing Proxy Dll
devicereactivation.dll  10.0.18362.693  DeviceReactivation
devicesetupstatusprovider.dll  10.0.18362.1  Device Setup Status Provider Dll
deviceuxres.dll  10.0.18362.1  Windows Device User Experience Resource File
devmgr.dll  10.0.18362.1  Device Manager MMC Snapin
devobj.dll  10.0.18362.387  Device Information Set DLL
devrtl.dll  10.0.18362.387  Device Management Run Time Library
dfscli.dll  10.0.18362.1  Windows NT Distributed File System Client DLL
dfshim.dll  10.0.18362.1  ClickOnce Application Deployment Support Library
dfsshlex.dll  10.0.18362.1  Distributed File System shell extension
dhcpcmonitor.dll  10.0.18362.1  DHCP Client Monitor Dll
dhcpcore.dll  10.0.18362.267  DHCP Client Service
dhcpcore6.dll  10.0.18362.267  DHCPv6 Client
dhcpcsvc.dll  10.0.18362.267  DHCP Client Service
dhcpcsvc6.dll  10.0.18362.267  DHCPv6 Client
dhcpsapi.dll  10.0.18362.1  DHCP Server API Stub DLL
diagnosticinvoker.dll  10.0.18362.1  Microsoft Windows operating system.
dialclient.dll  10.0.18362.1  DIAL DLL
dictationmanager.dll  10.0.0.1  Dictation Manager
difxapi.dll  2.1.0.0  Driver Install Frameworks for API library module
dimsjob.dll  10.0.18362.1  DIMS Job DLL
dimsroam.dll  10.0.18362.1  Key Roaming DIMS Provider DLL
dinput.dll  10.0.18362.1  Microsoft DirectInput
dinput8.dll  10.0.18362.1  Microsoft DirectInput
direct2ddesktop.dll  10.0.18362.1  Microsoft Direct2D Desktop Components
directmanipulation.dll  10.0.18362.1  Microsoft Direct Manipulation Component
directml.dll  10.0.18362.693  Microsoft DirectML Library
dismapi.dll  10.0.18362.1  DISM API Framework
dispbroker.dll  10.0.18362.1  Display Broker API
dispex.dll  5.812.10240.16384  Microsoft ® DispEx
display.dll  10.0.18362.1  Display Control Panel
displaymanager.dll  10.0.18362.1  DisplayManager
dlnashext.dll  10.0.18362.1  DLNA Namespace DLL
dmalertlistener.proxystub.dll  10.0.18362.719  ProxyStub for DeviceManagment Alert
dmappsres.dll  10.0.18362.1  DMAppsRes
dmband.dll  10.0.18362.1  Microsoft DirectMusic Band
dmcfgutils.dll  10.0.18362.1  dmcfgutils
dmcmnutils.dll  10.0.18362.719  dmcmnutils
dmcommandlineutils.dll  10.0.18362.1  dmcommandlineutils
dmcompos.dll  10.0.18362.1  Microsoft DirectMusic Composer
dmdlgs.dll  10.0.18362.1  Disk Management Snap-in Dialogs
dmdskmgr.dll  10.0.18362.1  Disk Management Snap-in Support Library
dmdskres.dll  10.0.18362.1  Disk Management Snap-in Resources
dmdskres2.dll  10.0.18362.1  Disk Management Snap-in Resources
dmenrollengine.dll  10.0.18362.387  Enroll Engine DLL
dmime.dll  10.0.18362.1  Microsoft DirectMusic Interactive Engine
dmintf.dll  10.0.18362.1  Disk Management DCOM Interface Stub
dmiso8601utils.dll  10.0.18362.1  dmiso8601utils
dmloader.dll  10.0.18362.1  Microsoft DirectMusic Loader
dmocx.dll  10.0.18362.1  TreeView OCX
dmoleaututils.dll  10.0.18362.1  dmoleaututils
dmprocessxmlfiltered.dll  10.0.18362.1  dmprocessxmlfiltered
dmpushproxy.dll  10.0.18362.1  dmpushproxy
dmrcdecoder.dll  1.0.0.30  Digimarc Decoder 11/8/2017 6:30 AM [TGNP4W2UT0BB8JC]
dmscript.dll  10.0.18362.1  Microsoft DirectMusic Scripting
dmstyle.dll  10.0.18362.1  Microsoft DirectMusic Style Engline
dmsynth.dll  10.0.18362.1  Microsoft DirectMusic Software Synthesizer
dmusic.dll  10.0.18362.1  Microsoft DirectMusic Core Services
dmutil.dll  10.0.18362.1  Logical Disk Manager Utility Library
dmvdsitf.dll  10.0.18362.449  Disk Management Snap-in Support Library
dmxmlhelputils.dll  10.0.18362.1  dmxmlhelputils
dnsapi.dll  10.0.18362.267  DNS Client API DLL
dnscmmc.dll  10.0.18362.1  DNS Client MMC Snap-in DLL
docprop.dll  10.0.18362.1  OLE DocFile Property Page
dolbydecmft.dll  10.0.18362.719  Media Foundation Dolby Digital Atmos Decoders
dot3api.dll  10.0.18362.693  802.3 Autoconfiguration API
dot3cfg.dll  10.0.18362.1  802.3 Netsh Helper
dot3dlg.dll  10.0.18362.1  802.3 UI Helper
dot3gpclnt.dll  10.0.18362.1  802.3 Group Policy Client
dot3gpui.dll  10.0.18362.1  802.3 Network Policy Management Snap-in
dot3hc.dll  10.0.18362.1  Dot3 Helper Class
dot3msm.dll  10.0.18362.693  802.3 Media Specific Module
dot3ui.dll  10.0.18362.1  802.3 Advanced UI
dpapi.dll  10.0.18362.1  Data Protection API
dpapiprovider.dll  10.0.18362.1  dpapiprovider DLL
dplayx.dll  10.0.18362.1  DirectPlay Stub
dpmodemx.dll  10.0.18362.1  DirectPlay Stub
dpnaddr.dll  10.0.18362.1  DirectPlay Stub
dpnathlp.dll  10.0.18362.1  DirectPlay Stub
dpnet.dll  10.0.18362.1  DirectPlay Stub
dpnhpast.dll  10.0.18362.1  DirectPlay Stub
dpnhupnp.dll  10.0.18362.1  DirectPlay Stub
dpnlobby.dll  10.0.18362.1  DirectPlay Stub
dpwsockx.dll  10.0.18362.1  DirectPlay Stub
dpx.dll  5.0.1.1  Microsoft(R) Delta Package Expander
dragdropexperiencecommon.dll  10.0.18362.1  In-Proc WinRT server for Windows.Internal.PlatformExtensions.DragDropExperienceCommon
dragdropexperiencedataexchangedelegated.dll  10.0.18362.1  In-Proc WinRT server for Windows.Internal.PlatformExtensions.DragDropExperienceDataExchangeDelegated
drprov.dll  10.0.18362.1  Microsoft Remote Desktop Session Host Server Network Provider
drt.dll  10.0.18362.1  Distributed Routing Table
drtprov.dll  10.0.18362.1  Distributed Routing Table Providers
drttransport.dll  10.0.18362.1  Distributed Routing Table Transport Provider
drvsetup.dll  10.0.18362.267  Microsoft (R) Driver Setup
drvstore.dll  10.0.18362.1  Driver Store API
dsauth.dll  10.0.18362.1  DS Authorization for Services
dsccoreconfprov.dll  6.2.9200.16384  DSC
dsclient.dll  10.0.18362.1  Data Sharing Service Client DLL
dsdmo.dll  10.0.18362.1  DirectSound Effects
dskquota.dll  10.0.18362.1  Windows Shell Disk Quota Support DLL
dskquoui.dll  10.0.18362.1  Windows Shell Disk Quota UI DLL
dsound.dll  10.0.18362.1  DirectSound
dsparse.dll  10.0.18362.1  Active Directory Domain Services API
dsprop.dll  10.0.18362.1  Windows Active Directory Property Pages
dsquery.dll  10.0.18362.1  Directory Service Find
dsreg.dll  10.0.18362.30  AD/AAD User Device Registration
dsregtask.dll  10.0.18362.1  DSREG task handler
dsrole.dll  10.0.18362.1  DS Setup Client DLL
dssec.dll  10.0.18362.1  Directory Service Security UI
dssenh.dll  10.0.18362.1  Microsoft Enhanced DSS and Diffie-Hellman Cryptographic Provider
dsui.dll  10.0.18362.1  Device Setup UI Pages
dsuiext.dll  10.0.18362.1  Directory Service Common UI
dswave.dll  10.0.18362.1  Microsoft DirectMusic Wave
dtsh.dll  10.0.18362.1  Detection and Sharing Status API
dui70.dll  10.0.18362.1  Windows DirectUI Engine
duser.dll  10.0.18362.1  Windows DirectUser Engine
dusmapi.dll  10.0.18362.1  Data Usage API
dwmapi.dll  10.0.18362.267  Microsoft Desktop Window Manager API
dwrite.dll  10.0.18362.476  Microsoft DirectX Typography Services
dxcore.dll  10.0.18362.1  DXCore
dxdiagn.dll  10.0.18362.387  Microsoft DirectX Diagnostic Tool
dxgi.dll  10.0.18362.693  DirectX Graphics Infrastructure
dxilconv.dll  10.0.18362.1  DirectX IL Converter DLL
dxmasf.dll  12.0.18362.449  Microsoft Windows Media Component Removal File.
dxptasksync.dll  10.0.18362.1  Microsoft Windows DXP Sync.
dxtmsft.dll  11.0.18362.1  DirectX Media -- Image DirectX Transforms
dxtrans.dll  11.0.18362.1  DirectX Media -- DirectX Transform Core
dxva2.dll  10.0.18362.1  DirectX Video Acceleration 2.0 DLL
eapp3hst.dll  10.0.18362.1  Microsoft ThirdPartyEapDispatcher
eappcfg.dll  10.0.18362.1  Eap Peer Config
eappgnui.dll  10.0.18362.1  EAP Generic UI
eapphost.dll  10.0.18362.1  Microsoft EAPHost Peer service
eappprxy.dll  10.0.18362.1  Microsoft EAPHost Peer Client DLL
eapprovp.dll  10.0.18362.1  EAP extension DLL
eapsimextdesktop.dll  10.0.18362.1  EAP SIM EXT config dll
easwrt.dll  10.0.18362.1  Exchange ActiveSync Windows Runtime DLL
edgehtml.dll  11.0.18362.719  Microsoft Edge Web Platform
edgeiso.dll  11.0.18362.693  Isolation Library for edgehtml hosts
edgemanager.dll  11.0.18362.693  Microsoft Edge Manager
editbuffertesthook.dll  10.0.18362.207  "EditBufferTestHook.DYNLINK"
editionupgradehelper.dll  10.0.18362.693  EDITIONUPGRADEHELPER.DLL
editionupgrademanagerobj.dll  10.0.18362.693  Get your Windows license
edpauditapi.dll  10.0.18362.1  EDP Audit API
edputil.dll  10.0.18362.1  EDP util
efsadu.dll  10.0.18362.1  File Encryption Utility
efsext.dll  10.0.18362.329  EFSEXT.DLL
efsutil.dll  10.0.18362.1  EFS Utility Library
efswrt.dll  10.0.18362.30  Storage Protection Windows Runtime DLL
ehstorapi.dll  10.0.18362.1  Windows Enhanced Storage API
ehstorpwdmgr.dll  10.0.18362.1  Microsoft Enhanced Storage Password Manager
els.dll  10.0.18362.1  Event Viewer Snapin
elscore.dll  10.0.18362.1  Els Core Platform DLL
elshyph.dll  10.0.18362.1  ELS Hyphenation Service
elslad.dll  10.0.18362.1  ELS Language Detection
elstrans.dll  10.0.18362.1  ELS Transliteration Service
emailapis.dll  10.0.18362.1  DLL for EmailRT
embeddedmodesvcapi.dll  10.0.18362.1  Embedded Mode Service Client DLL
encapi.dll  10.0.18362.1  Encoder API
encdump.dll  5.0.1.1  Media Foundation Crash Dump Encryption DLL
enrollmentapi.dll  10.0.18362.387  Legacy Phone Enrollment API BackCompat Shim
enterpriseappmgmtclient.dll  10.0.18362.1  EnterpriseAppMgmtClient.dll
enterpriseresourcemanager.dll  10.0.18362.719  enterpriseresourcemanager DLL
eqossnap.dll  10.0.18362.1  EQoS Snapin extension
errordetails.dll  10.0.18362.1  Microsoft Windows operating system.
errordetailscore.dll  10.0.18362.1  Microsoft Windows operating system.
es.dll  2001.12.10941.16384  COM+
esdsip.dll  10.0.18362.1  Crypto SIP provider for signing and verifying .esd Electronic Software Distribution files
esent.dll  10.0.18362.693  Extensible Storage Engine for Microsoft(R) Windows(R)
esentprf.dll  10.0.18362.1  Extensible Storage Engine Performance Monitoring Library for Microsoft(R) Windows(R)
esevss.dll  10.0.18362.1  Microsoft(R) ESENT shadow utilities
etwcoreuicomponentsresources.dll  10.0.18362.1  Microsoft CoreComponents UI ETW manifest Dll
etweseproviderresources.dll  10.0.18362.1  Microsoft ESE ETW
etwrundown.dll  10.0.18362.1  Etw Rundown Helper Library
eventcls.dll  10.0.18362.1  Microsoft® Volume Shadow Copy Service event class
evr.dll  10.0.18362.1  Enhanced Video Renderer DLL
execmodelclient.dll  10.0.18362.1  ExecModelClient
execmodelproxy.dll  10.0.18362.1  ExecModelProxy
explorerframe.dll  10.0.18362.418  ExplorerFrame
expsrv.dll  6.0.72.9589  Visual Basic for Applications Runtime - Expression Service
exsmime.dll  10.0.18362.1  LExsmime
extrasxmlparser.dll  10.0.18362.1  Extras XML parser used to extract extension information from XML
f3ahvoas.dll  10.0.18362.1  JP Japanese Keyboard Layout for Fujitsu FMV oyayubi-shift keyboard
familysafetyext.dll  10.0.18362.1  FamilySafety ChildAccount Extensions
faultrep.dll  10.0.18362.657  Windows User Mode Crash Reporting DLL
fdbth.dll  10.0.18362.1  Function Discovery Bluetooth Provider Dll
fdbthproxy.dll  10.0.18362.1  Bluetooth Provider Proxy Dll
fddevquery.dll  10.0.18362.1  Microsoft Windows Device Query Helper
fde.dll  10.0.18362.1  Folder Redirection Snapin Extension
fdeploy.dll  10.0.18362.1  Folder Redirection Group Policy Extension
fdpnp.dll  10.0.18362.1  Pnp Provider Dll
fdprint.dll  10.0.18362.1  Function Discovery Print Provider Dll
fdproxy.dll  10.0.18362.1  Function Discovery Proxy Dll
fdssdp.dll  10.0.18362.657  Function Discovery SSDP Provider Dll
fdwcn.dll  10.0.18362.1  Windows Connect Now - Config Function Discovery Provider DLL
fdwnet.dll  10.0.18362.1  Function Discovery WNet Provider Dll
fdwsd.dll  10.0.18362.657  Function Discovery WS Discovery Provider Dll
feclient.dll  10.0.18362.1  Windows NT File Encryption Client Interfaces
ffbroker.dll  10.0.18362.1  Force Feedback Broker And Policy COM Server
fidocredprov.dll  10.0.18362.1  FIDO Credential Provider
filemgmt.dll  10.0.18362.1  Services and Shared Folders
findnetprinters.dll  10.0.18362.628  Find Network Printers COM Component
fingerprintcredential.dll  10.0.18362.1  WinBio Fingerprint Credential
firewallapi.dll  10.0.18362.449  Windows Defender Firewall API
firewallcontrolpanel.dll  10.0.18362.1  Windows Defender Firewall Control Panel
flightsettings.dll  10.0.18362.329  Flight Settings
fltlib.dll  10.0.18362.1  Filter Library
fmifs.dll  10.0.18362.1  FM IFS Utility DLL
fms.dll  10.0.18362.1  Font Management Services
fontext.dll  10.0.18362.329  Windows Font Folder
fontglyphanimator.dll  10.0.18362.1  Font Glyph Animator
fontsub.dll  10.0.18362.535  Font Subsetting DLL
fphc.dll  10.0.18362.1  Filtering Platform Helper Class
framedyn.dll  10.0.18362.1  WMI SDK Provider Framework
framedynos.dll  10.0.18362.1  WMI SDK Provider Framework
frprov.dll  10.0.18362.1  Folder Redirection WMI Provider
fsclient.dll  10.0.18362.1  Frame Server Client DLL
fsutilext.dll  10.0.18362.1  FS Utility Extension DLL
fundisc.dll  10.0.18362.1  Function Discovery Dll
fveapi.dll  10.0.18362.387  Windows BitLocker Drive Encryption API
fveapibase.dll  10.0.18362.387  Windows BitLocker Drive Encryption Base API
fvecerts.dll  10.0.18362.329  BitLocker Certificates Library
fwbase.dll  10.0.18362.449  Firewall Base DLL
fwcfg.dll  10.0.18362.1  Windows Defender Firewall Configuration Helper
fwpolicyiomgr.dll  10.0.18362.449  FwPolicyIoMgr DLL
fwpuclnt.dll  10.0.18362.113  FWP/IPsec User-Mode API
fwremotesvr.dll  10.0.18362.1  Windows Defender Firewall Remote APIs Server
fxsapi.dll  10.0.18362.1  Microsoft Fax API Support DLL
fxscom.dll  10.0.18362.1  Microsoft Fax Server COM Client Interface
fxscomex.dll  10.0.18362.1  Microsoft Fax Server Extended COM Client Interface
fxsext32.dll  10.0.18362.1  Microsoft Fax Exchange Command Extension
fxsresm.dll  10.0.18362.1  Microsoft Fax Resource DLL
fxsxp32.dll  10.0.18362.1  Microsoft Fax Transport Provider
gamebarpresencewriter.proxy.dll  10.0.18362.1  GameBar Presence Writer Proxy
gamechatoverlayext.dll  10.0.18362.1  GameChat Overlay Extension
gamechattranscription.dll  10.0.18362.145  GameChatTranscription
gameinput.dll  10.0.18362.329  GameInput API
gamemode.dll  10.0.18362.1  Game Mode Client
gamepanelexternalhook.dll  10.0.18362.1  GamePanelExternalHook.dll
gameux.dll  10.0.18362.1  Games Explorer
gamingtcui.dll  10.0.18362.1  Windows Gaming Internal CallableUI dll
gcdef.dll  10.0.18362.1  Game Controllers Default Sheets
gdi32.dll  10.0.18362.1  GDI Client DLL
gdi32full.dll  10.0.18362.719  GDI Client DLL
gdiplus.dll  10.0.18362.720  Microsoft GDI+
geocommon.dll  10.0.18362.1  Geocommon
geolocation.dll  10.0.18362.1  Geolocation Runtime DLL
getuname.dll  10.0.18362.1  Unicode name Dll for UCE
glmf32.dll  10.0.18362.1  OpenGL Metafiling DLL
globinputhost.dll  10.0.18362.657  Windows Globalization Extension API for Input
glu32.dll  10.0.18362.387  OpenGL Utility Library DLL
gmsaclient.dll  10.0.18362.1  "gmsaclient.DYNLINK"
gnsdk_fp.dll  3.9.511.0  Gracenote SDK component
gpapi.dll  10.0.18362.1  Group Policy Client API
gpedit.dll  10.0.18362.1  GPEdit
gpprnext.dll  10.0.18362.1  Group Policy Printer Extension
gptext.dll  10.0.18362.1  GPTExt
graphicscapture.dll  10.0.18362.693  Microsoft Windows Graphics Capture Api
hbaapi.dll  10.0.18362.1  HBA API data interface dll for HBA_API_Rev_2-18_2002MAR1.doc
hcproviders.dll  10.0.18362.1  Security and Maintenance Providers
hdcphandler.dll  10.0.18362.1  Hdcp Handler DLL
heatcore.dll    
helppaneproxy.dll  10.0.18362.1  Microsoft® Help Proxy
hgcpl.dll  10.0.18362.1  HomeGroup Control Panel
hhsetup.dll  10.0.18362.1  Microsoft® HTML Help
hid.dll  10.0.18362.1  Hid User Library
hidserv.dll  10.0.18362.1  Human Interface Device Service
hlink.dll  10.0.18362.1  Microsoft Office 2000 component
hmkd.dll  10.0.18362.1  Windows HMAC Key Derivation API
hnetcfg.dll  10.0.18362.1  Home Networking Configuration Manager
hnetcfgclient.dll  10.0.18362.1  Home Networking Configuration API Client
hnetmon.dll  10.0.18362.1  Home Networking Monitor DLL
holoshellruntime.dll  10.0.18362.1  Hologram Shell Runtime
hrtfapo.dll  10.0.18362.1  HrtfApo.dll
httpapi.dll  10.0.18362.1  HTTP Protocol Stack API
htui.dll  10.0.18362.1  Common halftone Color Adjustment Dialogs
ia2comproxy.dll  10.0.18362.1  IAccessible2 COM Proxy Stub DLL
ias.dll  10.0.18362.1  Network Policy Server
iasacct.dll  10.0.18362.1  NPS Accounting Provider
iasads.dll  10.0.18362.1  NPS Active Directory Data Store
iasdatastore.dll  10.0.18362.1  NPS Datastore server
iashlpr.dll  10.0.18362.1  NPS Surrogate Component
iasmigplugin.dll  10.0.18362.1  NPS Migration DLL
iasnap.dll  10.0.18362.1  NPS NAP Provider
iaspolcy.dll  10.0.18362.1  NPS Pipeline
iasrad.dll  10.0.18362.1  NPS RADIUS Protocol Component
iasrecst.dll  10.0.18362.1  NPS XML Datastore Access
iassam.dll  10.0.18362.1  NPS NT SAM Provider
iassdo.dll  10.0.18362.1  NPS SDO Component
iassvcs.dll  10.0.18362.1  NPS Services Component
iccvid.dll  1.10.0.12  Cinepak® Codec
icm32.dll  10.0.18362.267  Microsoft Color Management Module (CMM)
icmp.dll  10.0.18362.1  ICMP DLL
icmui.dll  10.0.18362.1  Microsoft Color Matching System User Interface DLL
iconcodecservice.dll  10.0.18362.1  Converts a PNG part of the icon to a legacy bmp icon
icsigd.dll  10.0.18362.1  Internet Gateway Device properties
icu.dll  63.1.0.0  ICU Combined Library
icuin.dll  63.1.0.0  ICU I18N DLL
icuuc.dll  63.1.0.0  ICU Common DLL
idctrls.dll  10.0.18362.1  Identity Controls
idndl.dll  10.0.18362.1  Downlevel DLL
idstore.dll  10.0.18362.1  Identity Store
ieadvpack.dll  11.0.18362.1  ADVPACK
ieapfltr.dll  11.0.18362.1  Microsoft SmartScreen Filter
iedkcs32.dll  18.0.18362.628  IEAK branding
ieframe.dll  11.0.18362.693  Internet Browser
iemigplugin.dll  11.0.18362.693  IE Migration Plugin
iepeers.dll  11.0.18362.1  Internet Explorer Peer Objects
ieproxy.dll  11.0.18362.628  IE ActiveX Interface Marshaling Library
iernonce.dll  11.0.18362.1  Extended RunOnce processing with UI
iertutil.dll  11.0.18362.693  Run time utility for Internet Explorer
iesetup.dll  11.0.18362.1  IOD Version Map
iesysprep.dll  11.0.18362.1  IE Sysprep Provider
ieui.dll  11.0.18362.1  Internet Explorer UI Engine
ifmon.dll  10.0.18362.1  IF Monitor DLL
ifsutil.dll  10.0.18362.207  IFS Utility DLL
ifsutilx.dll  10.0.18362.1  IFS Utility Extension DLL
imagehlp.dll  10.0.18362.1  Windows NT Image Helper
imageres.dll  10.0.18362.1  Windows Image Resource
imagesp1.dll  10.0.18362.1  Windows SP1 Image Resource
imapi.dll  10.0.18362.1  Image Mastering API
imapi2.dll  10.0.18362.1  Image Mastering API v2
imapi2fs.dll  10.0.18362.1  Image Mastering File System Imaging API v2
imgutil.dll  11.0.18362.1  IE plugin image decoder support DLL
imm32.dll  10.0.18362.387  Multi-User Windows IMM32 API Client DLL
indexeddblegacy.dll  10.0.18362.719  "IndexedDbLegacy.DYNLINK"
inetcomm.dll  10.0.18362.1  Microsoft Internet Messaging API Resources
inetmib1.dll  10.0.18362.1  Microsoft MIB-II subagent
inetres.dll  10.0.18362.1  Microsoft Internet Messaging API Resources
inked.dll  10.0.18362.1  Microsoft Tablet PC InkEdit Control
inkobjcore.dll  10.0.18362.1  Microsoft Tablet PC Ink Platform Component
input.dll  10.0.18362.1  InputSetting DLL
inputhost.dll  10.0.18362.387  InputHost
inputinjectionbroker.dll  10.0.18362.1  Broker for WinRT input injection.
inputswitch.dll  10.0.18362.145  Microsoft Windows Input Switcher
inseng.dll  11.0.18362.1  Install engine
installservice.dll  10.0.18362.693  InstallService
installservicetasks.dll  10.0.18362.693  InstallService Tasks
intel_gfx_api-x86.dll  8.18.8.30  Intel® Media SDK API factory
iologmsg.dll  10.0.18362.1  IO Logging DLL
ipeloggingdictationhelper.dll  1.0.0.1  IPE Logging Library Helper
iphlpapi.dll  10.0.18362.1  IP Helper API
ipnathlpclient.dll  10.0.18362.1  IP NAT Helper Client
iprop.dll  10.0.18362.1  OLE PropertySet Implementation
iprtprio.dll  10.0.18362.693  IP Routing Protocol Priority DLL
iprtrmgr.dll  10.0.18362.693  IP Router Manager
ipsecsnp.dll  10.0.18362.1  IP Security Policy Management Snap-in
ipsmsnap.dll  10.0.18362.1  IP Security Monitor Snap-in
ir32_32.dll  10.0.18362.1  IR32_32 WRAPPER DLL
ir32_32original.dll  3.24.15.3  Intel Indeo(R) Video R3.2 32-bit Driver
ir41_32original.dll  4.51.16.3  Intel Indeo® Video 4.5
ir41_qc.dll  10.0.18362.1  IR41_QC WRAPPER DLL
ir41_qcoriginal.dll  4.30.62.2  Intel Indeo® Video Interactive Quick Compressor
ir41_qcx.dll  10.0.18362.1  IR41_QCX WRAPPER DLL
ir41_qcxoriginal.dll  4.30.64.1  Intel Indeo® Video Interactive Quick Compressor
ir50_32.dll  10.0.18362.1  IR50_32 WRAPPER DLL
ir50_32original.dll  5.2562.15.55  Intel Indeo® video 5.10
ir50_qc.dll  10.0.18362.1  IR50_QC WRAPPER DLL
ir50_qcoriginal.dll  5.0.63.48  Intel Indeo® video 5.10 Quick Compressor
ir50_qcx.dll  10.0.18362.1  IR50_QCX WRAPPER DLL
ir50_qcxoriginal.dll  5.0.64.48  Intel Indeo® video 5.10 Quick Compressor
iri.dll  10.0.18362.1  iri
iscsicpl.dll  5.2.3790.1830  iSCSI Initiator Control Panel Applet
iscsidsc.dll  10.0.18362.1  iSCSI Discovery api
iscsied.dll  10.0.18362.1  iSCSI Extension DLL
iscsium.dll  10.0.18362.1  iSCSI Discovery api
iscsiwmi.dll  10.0.18362.1  MS iSCSI Initiator WMI Provider
iscsiwmiv2.dll  10.0.18362.1  WMI Provider for iSCSI
itircl.dll  10.0.18362.1  Microsoft® InfoTech IR Local DLL
itss.dll  10.0.18362.1  Microsoft® InfoTech Storage System Library
iyuv_32.dll  10.0.18362.1  Intel Indeo(R) Video YUV Codec
javascriptcollectionagent.dll  11.0.18362.1  JavaScript Performance Collection Agent
jhi.dll  1.34.2019.714  Intel(R) Dynamic Application Loader Host Interface DLL
joinproviderol.dll  10.0.18362.1  Online Join Provider DLL
joinutil.dll  10.0.18362.1  Join Utility DLL
jpmapcontrol.dll  10.0.18362.1  Jupiter Map Control
jscript.dll  5.812.10240.16384  Microsoft ® JScript
jscript9.dll  11.0.18362.719  Microsoft ® JScript
jscript9diag.dll  11.0.18362.719  Microsoft ® JScript Diagnostics
jsproxy.dll  11.0.18362.693  JScript Proxy Auto-Configuration
kbd101.dll  10.0.18362.1  JP Japanese Keyboard Layout for 101
kbd101a.dll  10.0.18362.1  KO Hangeul Keyboard Layout for 101 (Type A)
kbd101b.dll  10.0.18362.1  KO Hangeul Keyboard Layout for 101(Type B)
kbd101c.dll  10.0.18362.1  KO Hangeul Keyboard Layout for 101(Type C)
kbd103.dll  10.0.18362.1  KO Hangeul Keyboard Layout for 103
kbd106.dll  10.0.18362.476  JP Japanese Keyboard Layout for 106
kbd106n.dll  10.0.18362.1  JP Japanese Keyboard Layout for 106
kbda1.dll  10.0.18362.1  Arabic_English_101 Keyboard Layout
kbda2.dll  10.0.18362.1  Arabic_2 Keyboard Layout
kbda3.dll  10.0.18362.1  Arabic_French_102 Keyboard Layout
kbdadlm.dll  10.0.18362.1  Adlam Keyboard Layout
kbdal.dll  10.0.18362.1  Albania Keyboard Layout
kbdarme.dll  10.0.18362.1  Eastern Armenian Keyboard Layout
kbdarmph.dll  10.0.18362.1  Armenian Phonetic Keyboard Layout
kbdarmty.dll  10.0.18362.1  Armenian Typewriter Keyboard Layout
kbdarmw.dll  10.0.18362.1  Western Armenian Keyboard Layout
kbdax2.dll  10.0.18362.1  JP Japanese Keyboard Layout for AX2
kbdaze.dll  10.0.18362.1  Azerbaijan_Cyrillic Keyboard Layout
kbdazel.dll  10.0.18362.1  Azeri-Latin Keyboard Layout
kbdazst.dll  10.0.18362.1  Azerbaijani (Standard) Keyboard Layout
kbdbash.dll  10.0.18362.1  Bashkir Keyboard Layout
kbdbe.dll  10.0.18362.1  Belgian Keyboard Layout
kbdbene.dll  10.0.18362.1  Belgian Dutch Keyboard Layout
kbdbgph.dll  10.0.18362.1  Bulgarian Phonetic Keyboard Layout
kbdbgph1.dll  10.0.18362.1  Bulgarian (Phonetic Traditional) Keyboard Layout
kbdbhc.dll  10.0.18362.1  Bosnian (Cyrillic) Keyboard Layout
kbdblr.dll  10.0.18362.1  Belarusian Keyboard Layout
kbdbr.dll  10.0.18362.1  Brazilian Keyboard Layout
kbdbu.dll  10.0.18362.1  Bulgarian (Typewriter) Keyboard Layout
kbdbug.dll  10.0.18362.1  Buginese Keyboard Layout
kbdbulg.dll  10.0.18362.1  Bulgarian Keyboard Layout
kbdca.dll  10.0.18362.1  Canadian Multilingual Keyboard Layout
kbdcan.dll  10.0.18362.1  Canadian Multilingual Standard Keyboard Layout
kbdcher.dll  10.0.18362.1  Cherokee Nation Keyboard Layout
kbdcherp.dll  10.0.18362.1  Cherokee Phonetic Keyboard Layout
kbdcr.dll  10.0.18362.1  Croatian/Slovenian Keyboard Layout
kbdcz.dll  10.0.18362.1  Czech Keyboard Layout
kbdcz1.dll  10.0.18362.1  Czech_101 Keyboard Layout
kbdcz2.dll  10.0.18362.1  Czech_Programmer's Keyboard Layout
kbdda.dll  10.0.18362.1  Danish Keyboard Layout
kbddiv1.dll  10.0.18362.1  Divehi Phonetic Keyboard Layout
kbddiv2.dll  10.0.18362.1  Divehi Typewriter Keyboard Layout
kbddv.dll  10.0.18362.1  Dvorak US English Keyboard Layout
kbddzo.dll  10.0.18362.1  Dzongkha Keyboard Layout
kbdes.dll  10.0.18362.1  Spanish Alernate Keyboard Layout
kbdest.dll  10.0.18362.1  Estonia Keyboard Layout
kbdfa.dll  10.0.18362.1  Persian Keyboard Layout
kbdfar.dll  10.0.18362.1  Persian Standard Keyboard Layout
kbdfc.dll  10.0.18362.1  Canadian French Keyboard Layout
kbdfi.dll  10.0.18362.1  Finnish Keyboard Layout
kbdfi1.dll  10.0.18362.1  Finnish-Swedish with Sami Keyboard Layout
kbdfo.dll  10.0.18362.1  Færoese Keyboard Layout
kbdfr.dll  10.0.18362.1  French Keyboard Layout
kbdfthrk.dll  10.0.18362.1  Futhark Keyboard Layout
kbdgae.dll  10.0.18362.1  Scottish Gaelic (United Kingdom) Keyboard Layout
kbdgeo.dll  10.0.18362.1  Georgian Keyboard Layout
kbdgeoer.dll  10.0.18362.1  Georgian (Ergonomic) Keyboard Layout
kbdgeome.dll  10.0.18362.1  Georgian (MES) Keyboard Layout
kbdgeooa.dll  10.0.18362.1  Georgian (Old Alphabets) Keyboard Layout
kbdgeoqw.dll  10.0.18362.1  Georgian (QWERTY) Keyboard Layout
kbdgkl.dll  10.0.18362.1  Greek_Latin Keyboard Layout
kbdgn.dll  10.0.18362.1  Guarani Keyboard Layout
kbdgr.dll  10.0.18362.1  German Keyboard Layout
kbdgr1.dll  10.0.18362.1  German_IBM Keyboard Layout
kbdgrlnd.dll  10.0.18362.1  Greenlandic Keyboard Layout
kbdgthc.dll  10.0.18362.1  Gothic Keyboard Layout
kbdhau.dll  10.0.18362.1  Hausa Keyboard Layout
kbdhaw.dll  10.0.18362.1  Hawaiian Keyboard Layout
kbdhe.dll  10.0.18362.1  Greek Keyboard Layout
kbdhe220.dll  10.0.18362.1  Greek IBM 220 Keyboard Layout
kbdhe319.dll  10.0.18362.1  Greek IBM 319 Keyboard Layout
kbdheb.dll  10.0.18362.1  KBDHEB Keyboard Layout
kbdhebl3.dll  10.0.18362.1  Hebrew Standard Keyboard Layout
kbdhela2.dll  10.0.18362.1  Greek IBM 220 Latin Keyboard Layout
kbdhela3.dll  10.0.18362.1  Greek IBM 319 Latin Keyboard Layout
kbdhept.dll  10.0.18362.1  Greek_Polytonic Keyboard Layout
kbdhu.dll  10.0.18362.1  Hungarian Keyboard Layout
kbdhu1.dll  10.0.18362.1  Hungarian 101-key Keyboard Layout
kbdibm02.dll  10.0.18362.1  JP Japanese Keyboard Layout for IBM 5576-002/003
kbdibo.dll  10.0.18362.1  Igbo Keyboard Layout
kbdic.dll  10.0.18362.1  Icelandic Keyboard Layout
kbdinasa.dll  10.0.18362.1  Assamese (Inscript) Keyboard Layout
kbdinbe1.dll  10.0.18362.1  Bengali - Inscript (Legacy) Keyboard Layout
kbdinbe2.dll  10.0.18362.1  Bengali (Inscript) Keyboard Layout
kbdinben.dll  10.0.18362.1  Bengali Keyboard Layout
kbdindev.dll  10.0.18362.1  Devanagari Keyboard Layout
kbdinen.dll  10.0.18362.1  English (India) Keyboard Layout
kbdinguj.dll  10.0.18362.1  Gujarati Keyboard Layout
kbdinhin.dll  10.0.18362.1  Hindi Keyboard Layout
kbdinkan.dll  10.0.18362.1  Kannada Keyboard Layout
kbdinmal.dll  10.0.18362.1  Malayalam Keyboard Layout Keyboard Layout
kbdinmar.dll  10.0.18362.1  Marathi Keyboard Layout
kbdinori.dll  10.0.18362.1  Odia Keyboard Layout
kbdinpun.dll  10.0.18362.1  Punjabi/Gurmukhi Keyboard Layout
kbdintam.dll  10.0.18362.1  Tamil Keyboard Layout
kbdintel.dll  10.0.18362.1  Telugu Keyboard Layout
kbdinuk2.dll  10.0.18362.1  Inuktitut Naqittaut Keyboard Layout
kbdir.dll  10.0.18362.1  Irish Keyboard Layout
kbdit.dll  10.0.18362.1  Italian Keyboard Layout
kbdit142.dll  10.0.18362.1  Italian 142 Keyboard Layout
kbdiulat.dll  10.0.18362.1  Inuktitut Latin Keyboard Layout
kbdjav.dll  10.0.18362.1  Javanese Keyboard Layout
kbdjpn.dll  10.0.18362.476  JP Japanese Keyboard Layout Stub driver
kbdkaz.dll  10.0.18362.1  Kazak_Cyrillic Keyboard Layout
kbdkhmr.dll  10.0.18362.1  Cambodian Standard Keyboard Layout
kbdkni.dll  10.0.18362.1  Khmer (NIDA) Keyboard Layout
kbdkor.dll  10.0.18362.356  KO Hangeul Keyboard Layout Stub driver
kbdkurd.dll  10.0.18362.1  Central Kurdish Keyboard Layout
kbdkyr.dll  10.0.18362.1  Kyrgyz Keyboard Layout
kbdla.dll  10.0.18362.1  Latin-American Spanish Keyboard Layout
kbdlao.dll  10.0.18362.1  Lao Standard Keyboard Layout
kbdlisub.dll  10.0.18362.1  Lisu Basic Keyboard Layout
kbdlisus.dll  10.0.18362.1  Lisu Standard Keyboard Layout
kbdlk41a.dll  10.0.18362.1  DEC LK411-AJ Keyboard Layout
kbdlt.dll  10.0.18362.1  Lithuania Keyboard Layout
kbdlt1.dll  10.0.18362.1  Lithuanian Keyboard Layout
kbdlt2.dll  10.0.18362.1  Lithuanian Standard Keyboard Layout
kbdlv.dll  10.0.18362.1  Latvia Keyboard Layout
kbdlv1.dll  10.0.18362.1  Latvia-QWERTY Keyboard Layout
kbdlvst.dll  10.0.18362.1  Latvian (Standard) Keyboard Layout
kbdmac.dll  10.0.18362.1  Macedonian (FYROM) Keyboard Layout
kbdmacst.dll  10.0.18362.1  Macedonian (FYROM) - Standard Keyboard Layout
kbdmaori.dll  10.0.18362.1  Maori Keyboard Layout
kbdmlt47.dll  10.0.18362.1  Maltese 47-key Keyboard Layout
kbdmlt48.dll  10.0.18362.1  Maltese 48-key Keyboard Layout
kbdmon.dll  10.0.18362.1  Mongolian Keyboard Layout
kbdmonmo.dll  10.0.18362.1  Mongolian (Mongolian Script) Keyboard Layout
kbdmonst.dll  10.0.18362.1  Traditional Mongolian (Standard) Keyboard Layout
kbdmyan.dll  10.0.18362.1  Myanmar Keyboard Layout
kbdne.dll  10.0.18362.1  Dutch Keyboard Layout
kbdnec.dll  10.0.18362.1  JP Japanese Keyboard Layout for (NEC PC-9800)
kbdnec95.dll  10.0.18362.1  JP Japanese Keyboard Layout for (NEC PC-9800 Windows 95)
kbdnecat.dll  10.0.18362.1  JP Japanese Keyboard Layout for (NEC PC-9800 on PC98-NX)
kbdnecnt.dll  10.0.18362.1  JP Japanese NEC PC-9800 Keyboard Layout
kbdnepr.dll  10.0.18362.1  Nepali Keyboard Layout
kbdnko.dll  10.0.18362.1  N'Ko Keyboard Layout
kbdno.dll  10.0.18362.1  Norwegian Keyboard Layout
kbdno1.dll  10.0.18362.1  Norwegian with Sami Keyboard Layout
kbdnso.dll  10.0.18362.1  Sesotho sa Leboa Keyboard Layout
kbdntl.dll  10.0.18362.1  New Tai Leu Keyboard Layout
kbdogham.dll  10.0.18362.1  Ogham Keyboard Layout
kbdolch.dll  10.0.18362.1  Ol Chiki Keyboard Layout
kbdoldit.dll  10.0.18362.1  Old Italic Keyboard Layout
kbdosa.dll  10.0.18362.1  Osage Keyboard Layout
kbdosm.dll  10.0.18362.1  Osmanya Keyboard Layout
kbdpash.dll  10.0.18362.1  Pashto (Afghanistan) Keyboard Layout
kbdphags.dll  10.0.18362.1  Phags-pa Keyboard Layout
kbdpl.dll  10.0.18362.1  Polish Keyboard Layout
kbdpl1.dll  10.0.18362.1  Polish Programmer's Keyboard Layout
kbdpo.dll  10.0.18362.1  Portuguese Keyboard Layout
kbdro.dll  10.0.18362.1  Romanian (Legacy) Keyboard Layout
kbdropr.dll  10.0.18362.1  Romanian (Programmers) Keyboard Layout
kbdrost.dll  10.0.18362.1  Romanian (Standard) Keyboard Layout
kbdru.dll  10.0.18362.1  Russian Keyboard Layout
kbdru1.dll  10.0.18362.1  Russia(Typewriter) Keyboard Layout
kbdrum.dll  10.0.18362.1  Russian - Mnemonic Keyboard Layout
kbdsf.dll  10.0.18362.1  Swiss French Keyboard Layout
kbdsg.dll  10.0.18362.1  Swiss German Keyboard Layout
kbdsl.dll  10.0.18362.1  Slovak Keyboard Layout
kbdsl1.dll  10.0.18362.1  Slovak(QWERTY) Keyboard Layout
kbdsmsfi.dll  10.0.18362.1  Sami Extended Finland-Sweden Keyboard Layout
kbdsmsno.dll  10.0.18362.1  Sami Extended Norway Keyboard Layout
kbdsn1.dll  10.0.18362.1  Sinhala Keyboard Layout
kbdsora.dll  10.0.18362.1  Sora Keyboard Layout
kbdsorex.dll  10.0.18362.1  Sorbian Extended Keyboard Layout
kbdsors1.dll  10.0.18362.1  Sorbian Standard Keyboard Layout
kbdsorst.dll  10.0.18362.1  Sorbian Standard (Legacy) Keyboard Layout
kbdsp.dll  10.0.18362.1  Spanish Keyboard Layout
kbdsw.dll  10.0.18362.1  Swedish Keyboard Layout
kbdsw09.dll  10.0.18362.1  Sinhala - Wij 9 Keyboard Layout
kbdsyr1.dll  10.0.18362.1  Syriac Standard Keyboard Layout
kbdsyr2.dll  10.0.18362.1  Syriac Phoenetic Keyboard Layout
kbdtaile.dll  10.0.18362.1  Tai Le Keyboard Layout
kbdtajik.dll  10.0.18362.1  Tajik Keyboard Layout
kbdtat.dll  10.0.18362.1  Tatar (Legacy) Keyboard Layout
kbdth0.dll  10.0.18362.1  Thai Kedmanee Keyboard Layout
kbdth1.dll  10.0.18362.1  Thai Pattachote Keyboard Layout
kbdth2.dll  10.0.18362.1  Thai Kedmanee (non-ShiftLock) Keyboard Layout
kbdth3.dll  10.0.18362.1  Thai Pattachote (non-ShiftLock) Keyboard Layout
kbdtifi.dll  10.0.18362.1  Tifinagh (Basic) Keyboard Layout
kbdtifi2.dll  10.0.18362.1  Tifinagh (Extended) Keyboard Layout
kbdtiprc.dll  10.0.18362.1  Tibetan (PRC) Keyboard Layout
kbdtiprd.dll  10.0.18362.1  Tibetan (PRC) - Updated Keyboard Layout
kbdtt102.dll  10.0.18362.1  Tatar Keyboard Layout
kbdtuf.dll  10.0.18362.1  Turkish F Keyboard Layout
kbdtuq.dll  10.0.18362.1  Turkish Q Keyboard Layout
kbdturme.dll  10.0.18362.1  Turkmen Keyboard Layout
kbdtzm.dll  10.0.18362.1  Central Atlas Tamazight Keyboard Layout
kbdughr.dll  10.0.18362.1  Uyghur (Legacy) Keyboard Layout
kbdughr1.dll  10.0.18362.1  Uyghur Keyboard Layout
kbduk.dll  10.0.18362.1  United Kingdom Keyboard Layout
kbdukx.dll  10.0.18362.1  United Kingdom Extended Keyboard Layout
kbdur.dll  10.0.18362.1  Ukrainian Keyboard Layout
kbdur1.dll  10.0.18362.1  Ukrainian (Enhanced) Keyboard Layout
kbdurdu.dll  10.0.18362.1  Urdu Keyboard Layout
kbdus.dll  10.0.18362.1  United States Keyboard Layout
kbdusa.dll  10.0.18362.1  US IBM Arabic 238_L Keyboard Layout
kbdusl.dll  10.0.18362.1  Dvorak Left-Hand US English Keyboard Layout
kbdusr.dll  10.0.18362.1  Dvorak Right-Hand US English Keyboard Layout
kbdusx.dll  10.0.18362.1  US Multinational Keyboard Layout
kbduzb.dll  10.0.18362.1  Uzbek_Cyrillic Keyboard Layout
kbdvntc.dll  10.0.18362.1  Vietnamese Keyboard Layout
kbdwol.dll  10.0.18362.1  Wolof Keyboard Layout
kbdyak.dll  10.0.18362.1  Sakha - Russia Keyboard Layout
kbdyba.dll  10.0.18362.1  Yoruba Keyboard Layout
kbdycc.dll  10.0.18362.1  Serbian (Cyrillic) Keyboard Layout
kbdycl.dll  10.0.18362.1  Serbian (Latin) Keyboard Layout
kerbclientshared.dll  10.0.18362.387  Kerberos Client Shared Functionality
kerberos.dll  10.0.18362.657  Kerberos Security Package
kernel.appcore.dll  10.0.18362.1  AppModel API Host
kernel32.dll  10.0.18362.329  Windows NT BASE API Client DLL
kernelbase.dll  10.0.18362.719  Windows NT BASE API Client DLL
keycredmgr.dll  10.0.18362.1  Microsoft Key Credential Manager
keyiso.dll  10.0.18362.657  CNG Key Isolation Service
keymgr.dll  10.0.18362.1  Stored User Names and Passwords
ksuser.dll  10.0.18362.1  User CSA Library
ktmw32.dll  10.0.18362.1  Windows KTM Win32 Client DLL
l2gpstore.dll  10.0.18362.1  Policy Storage dll
l2nacp.dll  10.0.18362.1  Windows Onex Credential Provider
l2sechc.dll  10.0.18362.1  Layer 2 Security Diagnostics Helper Classes
languageoverlayutil.dll  10.0.18362.1  Provides helper APIs for managing overlaid localized Windows resources.
laprxy.dll  12.0.18362.1  Windows Media Logagent Proxy
libegl.dll    
libglesv1_cm.dll    
libglesv2.dll    
libmfxhw32.dll  9.19.9.26  Intel® Media SDK library
licensemanager.dll  10.0.18362.449  LicenseManager
licensemanagerapi.dll  10.0.18362.1  "LicenseManagerApi.DYNLINK"
licensingdiagspp.dll  10.0.18362.1  Licensing Diagnostics SPP Plugin
licensingwinrt.dll  10.0.18362.693  LicensingWinRuntime
licmgr10.dll  11.0.18362.1  Microsoft® License Manager DLL
linkinfo.dll  10.0.18362.1  Windows Volume Tracking
loadperf.dll  10.0.18362.1  Load & Unload Performance Counters
localsec.dll  10.0.18362.1  Local Users and Groups MMC Snapin
locationapi.dll  10.0.18362.1  Microsoft Windows Location API
locationframeworkinternalps.dll  10.0.18362.1  Windows Geolocation Framework Internal PS
locationframeworkps.dll  10.0.18362.1  Windows Geolocation Framework PS
lockappbroker.dll  10.0.18362.1  Windows Lock App Broker DLL
lockscreendata.dll  10.0.18362.1  Windows Lock Screen Data DLL
loghours.dll  10.0.18362.1  Schedule Dialog
logoncli.dll  10.0.18362.628  Net Logon Client DLL
lpk.dll  10.0.18362.535  Language Pack
lsmproxy.dll  10.0.18362.1  LSM interfaces proxy Dll
luainstall.dll  10.0.18362.1  Lua manifest install
luiapi.dll  10.0.18362.1  LUI API
lz32.dll  5.0.1.1  LZ Expand/Compress API DLL
magnification.dll  10.0.18362.1  Microsoft Magnification API
mapconfiguration.dll  10.0.18362.1  MapConfiguration
mapcontrolcore.dll  10.0.18362.1  Map Control Core
mapcontrolstringsres.dll  10.0.18362.1  Map control resource strings
mapgeocoder.dll  10.0.18362.1  Maps Geocoder
mapi32.dll  1.0.2536.0  Extended MAPI 1.0 for Windows NT
mapistub.dll  1.0.2536.0  Extended MAPI 1.0 for Windows NT
maprouter.dll  10.0.18362.1  Maps Router
mapsbtsvc.dll  10.0.18362.1  Maps Background Transfer Service
mbaeapi.dll  10.0.18362.1  Mobile Broadband Account Experience API
mbaeapipublic.dll  10.0.18362.1  Mobile Broadband Account API
mbsmsapi.dll  10.0.18362.1  Microsoft Windows Mobile Broadband SMS API
mbussdapi.dll  10.0.18362.1  Microsoft Windows Mobile Broadband USSD API
mccsengineshared.dll  10.0.18362.1  Utilies shared among OneSync engines
mciavi32.dll  10.0.18362.1  Video For Windows MCI driver
mcicda.dll  10.0.18362.628  MCI driver for cdaudio devices
mciqtz32.dll  10.0.18362.1  DirectShow MCI Driver
mciseq.dll  10.0.18362.628  MCI driver for MIDI sequencer
mciwave.dll  10.0.18362.628  MCI driver for waveform audio
mcrecvsrc.dll  10.0.18362.719  Miracast Media Foundation Source DLL
mdminst.dll  10.0.18362.1  Modem Class Installer
mdmlocalmanagement.dll  10.0.18362.1  MDM Local Management DLL
mdmregistration.dll  10.0.18362.387  MDM Registration DLL
messagingdatamodel2.dll  10.0.18362.1  MessagingDataModel2
mf.dll  10.0.18362.657  Media Foundation DLL
mf3216.dll  10.0.18362.719  32-bit to 16-bit Metafile Conversion DLL
mfaacenc.dll  10.0.18362.1  Media Foundation AAC Encoder
mfasfsrcsnk.dll  10.0.18362.657  Media Foundation ASF Source and Sink DLL
mfaudiocnv.dll  10.0.18362.1  Media Foundation Audio Converter DLL
mfc100.dll  10.0.40219.1  MFCDLL Shared Library - Retail Version
mfc100u.dll  10.0.40219.1  MFCDLL Shared Library - Retail Version
mfc110.dll  11.0.60610.1  MFCDLL Shared Library - Retail Version
mfc110chs.dll  11.0.60610.1  MFC Language Specific Resources
mfc110cht.dll  11.0.60610.1  MFC Language Specific Resources
mfc110deu.dll  11.0.60610.1  MFC Language Specific Resources
mfc110enu.dll  11.0.60610.1  MFC Language Specific Resources
mfc110esn.dll  11.0.60610.1  MFC Language Specific Resources
mfc110fra.dll  11.0.60610.1  MFC Language Specific Resources
mfc110ita.dll  11.0.60610.1  MFC Language Specific Resources
mfc110jpn.dll  11.0.60610.1  MFC Language Specific Resources
mfc110kor.dll  11.0.60610.1  MFC Language Specific Resources
mfc110rus.dll  11.0.60610.1  MFC Language Specific Resources
mfc110u.dll  11.0.60610.1  MFCDLL Shared Library - Retail Version
mfc140.dll  14.0.24210.0  MFCDLL Shared Library - Retail Version
mfc140chs.dll  14.0.24210.0  MFC Language Specific Resources
mfc140cht.dll  14.0.24210.0  MFC Language Specific Resources
mfc140deu.dll  14.0.24210.0  MFC Language Specific Resources
mfc140enu.dll  14.0.24210.0  MFC Language Specific Resources
mfc140esn.dll  14.0.24210.0  MFC Language Specific Resources
mfc140fra.dll  14.0.24210.0  MFC Language Specific Resources
mfc140ita.dll  14.0.24210.0  MFC Language Specific Resources
mfc140jpn.dll  14.0.24210.0  MFC Language Specific Resources
mfc140kor.dll  14.0.24210.0  MFC Language Specific Resources
mfc140rus.dll  14.0.24210.0  MFC Language Specific Resources
mfc140u.dll  14.0.24210.0  MFCDLL Shared Library - Retail Version
mfc40.dll  4.1.0.6140  MFCDLL Shared Library - Retail Version
mfc40u.dll  4.1.0.6140  MFCDLL Shared Library - Retail Version
mfc42.dll  6.6.8063.0  MFCDLL Shared Library - Retail Version
mfc42u.dll  6.6.8063.0  MFCDLL Shared Library - Retail Version
mfcaptureengine.dll  10.0.18362.1  Media Foundation CaptureEngine DLL
mfcm100.dll  10.0.40219.1  MFC Managed Library - Retail Version
mfcm100u.dll  10.0.40219.1  MFC Managed Library - Retail Version
mfcm110.dll  11.0.60610.1  MFC Managed Library - Retail Version
mfcm110u.dll  11.0.60610.1  MFC Managed Library - Retail Version
mfcm140.dll  14.0.24210.0  MFC Managed Library - Retail Version
mfcm140u.dll  14.0.24210.0  MFC Managed Library - Retail Version
mfcore.dll  10.0.18362.657  Media Foundation Core DLL
mfcsubs.dll  2001.12.10941.16384  COM+
mfds.dll  10.0.18362.1  Media Foundation Direct Show wrapper DLL
mfdvdec.dll  10.0.18362.1  Media Foundation DV Decoder
mferror.dll  10.0.18362.1  Media Foundation Error DLL
mfh263enc.dll  10.0.18362.1  Media Foundation h263 Encoder
mfh264enc.dll  10.0.18362.1  Media Foundation H264 Encoder
mfksproxy.dll  10.0.18362.1  Dshow MF Bridge DLL DLL
mfmediaengine.dll  10.0.18362.329  Media Foundation Media Engine DLL
mfmjpegdec.dll  10.0.18362.1  Media Foundation MJPEG Decoder
mfmkvsrcsnk.dll  10.0.18362.1  Media Foundation MKV Media Source and Sink DLL
mfmp4srcsnk.dll  10.0.18362.719  Media Foundation MPEG4 Source and Sink DLL
mfmpeg2srcsnk.dll  10.0.18362.693  Media Foundation MPEG2 Source and Sink DLL
mfnetcore.dll  10.0.18362.1  Media Foundation Net Core DLL
mfnetsrc.dll  10.0.18362.1  Media Foundation Net Source DLL
mfperfhelper.dll  10.0.18362.1  MFPerf DLL
mfplat.dll  10.0.18362.719  Media Foundation Platform DLL
mfplay.dll  10.0.18362.145  Media Foundation Playback API DLL
mfps.dll  10.0.18362.207  Media Foundation Proxy DLL
mfreadwrite.dll  10.0.18362.719  Media Foundation ReadWrite DLL
mfsensorgroup.dll  10.0.18362.1  Media Foundation Sensor Group DLL
mfsrcsnk.dll  10.0.18362.719  Media Foundation Source and Sink DLL
mfsvr.dll  10.0.18362.719  Media Foundation Simple Video Renderer DLL
mftranscode.dll  10.0.18362.1  Media Foundation Transcode DLL
mfvdsp.dll  10.0.18362.1  Windows Media Foundation Video DSP Components
mfvfw.dll  10.0.18362.1  MF VFW MFT
mfwmaaec.dll  10.0.18362.1  Windows Media Audio AEC for Media Foundation
mfx_mft_encrypt_32.dll  9.19.9.26  Intel® Hardware HDCP Encryptor MFT
mfx_mft_h264ve_32.dll  9.19.9.26  Intel® Quick Sync Video H.264 Encoder MFT
mfx_mft_h265ve_32.dll  9.19.9.26  Intel® Hardware H265 Encoder MFT
mfx_mft_mjpgvd_32.dll  9.19.9.26  Intel® Hardware M-JPEG Decoder MFT
mfx_mft_vp9ve_32.dll  9.19.9.26  Intel® Hardware VP9 Encoder MFT
mfxplugin32_hw.dll  1.19.9.26  Intel® Media SDK HW Default Plug-in
mgmtapi.dll  10.0.18362.1  Microsoft SNMP Manager API (uses WinSNMP)
mi.dll  10.0.18362.1  Management Infrastructure
mibincodec.dll  10.0.18362.1  Management Infrastructure binary codec component
microsoft.bluetooth.proxy.dll  10.0.18362.1  Microsoft Bluetooth COM Proxy DLL
microsoft.management.infrastructure.native.unmanaged.dll  10.0.18362.1  Microsoft.Management.Infrastructure.Native.Unmanaged.dll
microsoftaccounttokenprovider.dll  10.0.18362.693  Microsoft® Account Token Provider
microsoftaccountwamextension.dll  10.0.18362.1  Microsoft Account WAM Extension DLL
midimap.dll  10.0.18362.1  Microsoft MIDI Mapper
migisol.dll  10.0.18362.1  Migration System Isolation Layer
miguiresource.dll  10.0.18362.1  MIG wini32 resources
mimefilt.dll  2008.0.18362.1  MIME Filter
mimofcodec.dll  10.0.18362.1  Management Infrastructure mof codec component
minstoreevents.dll  10.0.18362.1  Minstore Event Resource
mintdh.dll  10.0.18362.1  Event Trace Helper Library
miracastreceiver.dll  10.0.18362.267  Miracast Receiver API
miracastreceiverext.dll  10.0.18362.1  Miracast Receiver Extensions
mirrordrvcompat.dll  10.0.18362.1  Mirror Driver Compatibility Helper
mispace.dll  10.0.18362.1  Storage Management Provider for Spaces
mitigationconfiguration.dll  10.0.18362.1  Exploit Guard Configuration Helper
miutils.dll  10.0.18362.1  Management Infrastructure
mixedrealityruntime.dll  10.0.18362.1  MixedRealityRuntime DLL
mlang.dll  10.0.18362.1  Multi Language Support DLL
mmcbase.dll  10.0.18362.1  MMC Base DLL
mmcndmgr.dll  10.0.18362.1  MMC Node Manager DLL
mmcshext.dll  10.0.18362.1  MMC Shell Extension DLL
mmdevapi.dll  10.0.18362.387  MMDevice API
mmgaclient.dll  10.0.18362.145  MMGA
mmgaproxystub.dll  10.0.18362.145  MMGA
mmres.dll  10.0.18362.1  General Audio Resources
mobilenetworking.dll  10.0.18362.1  "MobileNetworking.DYNLINK"
modemui.dll  10.0.18362.1  Windows Modem Properties
moricons.dll  10.0.18362.1  Windows NT Setup Icon Resources Library
moshostclient.dll  10.0.18362.1  MosHostClient
mosstorage.dll  10.0.18362.1  MosStorage
mp3dmod.dll  10.0.18362.1  Microsoft MP3 Decoder DMO
mp43decd.dll  10.0.18362.1  Windows Media MPEG-4 Video Decoder
mp4sdecd.dll  10.0.18362.1  Windows Media MPEG-4 S Video Decoder
mpg4decd.dll  10.0.18362.1  Windows Media MPEG-4 Video Decoder
mpr.dll  10.0.18362.1  Multiple Provider Router DLL
mprapi.dll  10.0.18362.1  Windows NT MP Router Administration DLL
mprddm.dll  10.0.18362.267  Demand Dial Manager Supervisor
mprdim.dll  10.0.18362.693  Dynamic Interface Manager
mprext.dll  10.0.18362.1  Multiple Provider Router Extension DLL
mprmsg.dll  10.0.18362.1  Multi-Protocol Router Service Messages DLL
mrmcorer.dll  10.0.18362.1  Microsoft Windows MRM
mrmdeploy.dll  10.0.18362.1  Microsoft Windows MRM Deployment
mrmindexer.dll  10.0.18362.1  Microsoft Windows MRM
mrt_map.dll  1.6.24911.0  Microsoft .NET Native Error Reporting Helper
mrt100.dll  1.6.24911.0  Microsoft .NET Native Runtime
ms3dthumbnailprovider.dll  10.0.18362.1  3D Builder
msaatext.dll  2.0.10413.0  Active Accessibility text support
msac3enc.dll  10.0.18362.1  Microsoft AC-3 Encoder
msacm32.dll  10.0.18362.1  Microsoft ACM Audio Filter
msadce.dll  10.0.18362.1  OLE DB Cursor Engine
msadcer.dll  10.0.18362.1  OLE DB Cursor Engine Resources
msadco.dll  10.0.18362.1  Remote Data Services Data Control
msadcor.dll  10.0.18362.1  Remote Data Services Data Control Resources
msadds.dll  10.0.18362.1  OLE DB Data Shape Provider
msaddsr.dll  10.0.18362.1   OLE DB Data Shape Provider Resources
msader15.dll  10.0.18362.1  ActiveX Data Objects Resources
msado15.dll  10.0.18362.239  ActiveX Data Objects
msadomd.dll  10.0.18362.175  ActiveX Data Objects (Multi-Dimensional)
msador15.dll  10.0.18362.1  Microsoft ActiveX Data Objects Recordset
msadox.dll  10.0.18362.175  ActiveX Data Objects Extensions
msadrh15.dll  10.0.18362.1  ActiveX Data Objects Rowset Helper
msafd.dll  10.0.18362.1  Microsoft Windows Sockets 2.0 Service Provider
msajapi.dll  10.0.18362.1  AllJoyn API Library
msalacdecoder.dll  10.0.18362.1  Media Foundation ALAC Decoder
msalacencoder.dll  10.0.18362.1  Media Foundation ALAC Encoder
msamrnbdecoder.dll  10.0.18362.1  AMR Narrowband Decoder DLL
msamrnbencoder.dll  10.0.18362.1  AMR Narrowband Encoder DLL
msamrnbsink.dll  10.0.18362.1  AMR Narrowband Sink DLL
msamrnbsource.dll  10.0.18362.1  AMR Narrowband Source DLL
msasn1.dll  10.0.18362.1  ASN.1 Runtime APIs
msauddecmft.dll  10.0.18362.1  Media Foundation Audio Decoders
msaudite.dll  10.0.18362.1  Security Audit Events DLL
msauserext.dll  10.0.18362.693  MSA USER Extension DLL
mscandui.dll  10.0.18362.1  MSCANDUI Server DLL
mscat32.dll  10.0.18362.1  MSCAT32 Forwarder DLL
msclmd.dll  10.0.18362.1  Microsoft Class Mini-driver
mscms.dll  10.0.18362.267  Microsoft Color Matching System DLL
mscoree.dll  10.0.18362.1  Microsoft .NET Runtime Execution Engine
mscorier.dll  10.0.18362.1  Microsoft .NET Runtime IE resources
mscories.dll  2.0.50727.9136  Microsoft .NET IE SECURITY REGISTRATION
mscpx32r.dll  10.0.18362.1  ODBC Code Page Translator Resources
mscpxl32.dll  10.0.18362.1  ODBC Code Page Translator
msctf.dll  10.0.18362.693  MSCTF Server DLL
msctfmonitor.dll  10.0.18362.1  MsCtfMonitor DLL
msctfp.dll  10.0.18362.1  MSCTFP Server DLL
msctfui.dll  10.0.18362.1  MSCTFUI Server DLL
msctfuimanager.dll  10.0.18362.1  Microsoft UIManager DLL
msdadc.dll  10.0.18362.1  OLE DB Data Conversion Stub
msdadiag.dll  10.0.18362.1  Built-In Diagnostics
msdaenum.dll  10.0.18362.1  OLE DB Root Enumerator Stub
msdaer.dll  10.0.18362.1  OLE DB Error Collection Stub
msdaora.dll  10.0.18362.1  OLE DB Provider for Oracle
msdaorar.dll  10.0.18362.1  OLE DB Provider for Oracle Resources
msdaosp.dll  10.0.18362.1  OLE DB Simple Provider
msdaprsr.dll  10.0.18362.1  OLE DB Persistence Services Resources
msdaprst.dll  10.0.18362.1  OLE DB Persistence Services
msdaps.dll  10.0.18362.1  OLE DB Interface Proxies/Stubs
msdarem.dll  10.0.18362.1  OLE DB Remote Provider
msdaremr.dll  10.0.18362.1  OLE DB Remote Provider Resources
msdart.dll  10.0.18362.1  OLE DB Runtime Routines
msdasc.dll  10.0.18362.1  OLE DB Service Components Stub
msdasql.dll  10.0.18362.1  OLE DB Provider for ODBC Drivers
msdasqlr.dll  10.0.18362.1  OLE DB Provider for ODBC Drivers Resources
msdatl3.dll  10.0.18362.1  OLE DB Implementation Support Routines
msdatt.dll  10.0.18362.1  OLE DB Temporary Table Services
msdaurl.dll  10.0.18362.1  OLE DB RootBinder Stub
msdelta.dll  5.0.1.1  Microsoft Patch Engine
msdfmap.dll  10.0.18362.1  Data Factory Handler
msdmo.dll  10.0.18362.1  DMO Runtime
msdrm.dll  10.0.18362.1  Windows Rights Management client
msdtcprx.dll  2001.12.10941.16384  Microsoft Distributed Transaction Coordinator OLE Transactions Interface Proxy DLL
msdtcspoffln.dll  2001.12.10941.16384  Microsoft Distributed Transaction Coordinator SysPrep Specialize Offline DLL
msdtcuiu.dll  2001.12.10941.16384  Microsoft Distributed Transaction Coordinator Administrative DLL
msdtcvsp1res.dll  2001.12.10941.16384  Microsoft Distributed Transaction Coordinator Resources for Vista SP1
msexch40.dll  4.0.9756.0  Microsoft Jet Exchange Isam
msexcl40.dll  4.0.9801.17  Microsoft Jet Excel Isam
msfeeds.dll  11.0.18362.628  Microsoft Feeds Manager
msfeedsbs.dll  11.0.18362.628  Microsoft Feeds Background Sync
msflacdecoder.dll  10.0.18362.719  Media Foundation FLAC Decoder
msflacencoder.dll  10.0.18362.719  Media Foundation FLAC Encoder
msftedit.dll  10.0.18362.329  Rich Text Edit Control, v8.5
msheif.dll  10.0.18362.1  HEIF DLL
mshtml.dll  11.0.18362.719  Microsoft (R) HTML Viewer
mshtmldac.dll  11.0.18362.329  DAC for Trident DOM
mshtmled.dll  11.0.18362.1  Microsoft® HTML Editing Component
mshtmler.dll  11.0.18362.1  Microsoft® HTML Editing Component's Resource DLL
msi.dll  5.0.18362.719  Windows Installer
msidcrl40.dll  10.0.18362.1  Microsoft® Account Dynamic Link Library
msident.dll  10.0.18362.1  Microsoft Identity Manager
msidle.dll  10.0.18362.1  User Idle Monitor
msidntld.dll  10.0.18362.1  Microsoft Identity Manager
msieftp.dll  10.0.18362.1  Microsoft Internet Explorer FTP Folder Shell Extension
msihnd.dll  5.0.18362.1  Windows® installer
msiltcfg.dll  5.0.18362.1  Windows Installer Configuration API Stub
msimg32.dll  10.0.18362.719  GDIEXT Client DLL
msimsg.dll  5.0.18362.719  Windows® Installer International Messages
msimtf.dll  10.0.18362.1  Active IMM Server DLL
msisip.dll  5.0.18362.1  MSI Signature SIP Provider
msiso.dll  11.0.18362.693  Isolation Library for Internet Explorer
msiwer.dll  5.0.18362.1  MSI Windows Error Reporting
msjet40.dll  4.0.9801.20  Microsoft Jet Engine Library
msjetoledb40.dll  4.0.9801.0  
msjint40.dll  4.0.9801.1  Microsoft Jet Database Engine International DLL
msjro.dll  10.0.18362.1  Jet and Replication Objects
msjter40.dll  4.0.9801.0  Microsoft Jet Database Engine Error DLL
msjtes40.dll  4.0.9801.0  Microsoft Jet Expression Service
mskeyprotcli.dll  10.0.18362.1  Windows Client Key Protection Provider
mskeyprotect.dll  10.0.18362.1  Microsoft Key Protection Provider
msls31.dll  3.10.349.0  Microsoft Line Services library file
msltus40.dll  4.0.9801.19  Microsoft Jet Lotus 1-2-3 Isam
msmpeg2adec.dll  10.0.18362.1  Microsoft DTV-DVD Audio Decoder
msmpeg2enc.dll  10.0.18362.1  Microsoft MPEG-2 Encoder
msmpeg2vdec.dll  10.0.18362.693  Microsoft DTV-DVD Video Decoder
msobjs.dll  10.0.18362.1  System object audit names
msoert2.dll  10.0.18362.1  Microsoft Windows Mail RT Lib
msopusdecoder.dll  10.0.18362.1  Media Foundation Opus Decoder
msorc32r.dll  10.0.18362.1  ODBC Driver for Oracle Resources
msorcl32.dll  10.0.18362.1  ODBC Driver for Oracle
mspatcha.dll  5.0.1.1  Microsoft File Patch Application API
mspatchc.dll  5.0.1.1  Microsoft Patch Creation Engine
mspbde40.dll  4.0.9801.15  Microsoft Jet Paradox Isam
msphotography.dll  10.0.18362.1  MS Photography DLL
msports.dll  10.0.18362.1  Ports Class Installer
msrating.dll  10.0.18362.1  "msrating.DYNLINK"
msrawimage.dll  10.0.18362.1  MS RAW Image Decoder DLL
msrd2x40.dll  4.0.9801.18  Microsoft (R) Red ISAM
msrd3x40.dll  4.0.9801.19  Microsoft (R) Red ISAM
msrdc.dll  10.0.18362.1  Remote Differential Compression COM server
msrdpwebaccess.dll  10.0.18362.1  Microsoft Remote Desktop Services Web Access Control
msrepl40.dll  4.0.9801.0  Microsoft Replication Library
msrle32.dll  10.0.18362.1  Microsoft RLE Compressor
msscntrs.dll  7.0.18362.719  PKM Perfmon Counter DLL
mssign32.dll  10.0.18362.1  Microsoft Trust Signing APIs
mssip32.dll  10.0.18362.1  MSSIP32 Forwarder DLL
mssitlb.dll  7.0.18362.719  mssitlb
msspellcheckingfacility.dll  10.0.18362.1  Microsoft Spell Checking Facility
mssph.dll  7.0.18362.719  Microsoft Search Protocol Handler
mssprxy.dll  7.0.18362.719  Microsoft Search Proxy
mssrch.dll  7.0.18362.719  Microsoft Embedded Search
mssvp.dll  7.0.18362.719  MSSearch Vista Platform
mstask.dll  10.0.18362.1  Task Scheduler interface DLL
mstext40.dll  4.0.9801.0  Microsoft Jet Text Isam
mstscax.dll  10.0.18362.657  Remote Desktop Services ActiveX Client
msutb.dll  10.0.18362.628  MSUTB Server DLL
msv1_0.dll  10.0.18362.476  Microsoft Authentication Package v1.0
msvbvm60.dll  6.0.98.15  Visual Basic Virtual Machine
msvcirt.dll  7.0.18362.1  Windows NT IOStreams DLL
msvcp_win.dll  10.0.18362.387  Microsoft® C Runtime Library
msvcp100.dll  10.0.40219.325  Microsoft® C Runtime Library
msvcp110.dll  11.0.51106.1  Microsoft® C Runtime Library
msvcp110_win.dll  10.0.18362.1  Microsoft® STL110 C++ Runtime Library
msvcp120.dll  12.0.21005.1  Microsoft® C Runtime Library
msvcp120_clr0400.dll  12.0.52519.0  Microsoft® C Runtime Library
msvcp140.dll  14.16.27033.0  Microsoft® C Runtime Library
msvcp140_1.dll  14.16.27033.0  Microsoft® C Runtime Library _1
msvcp140_clr0400.dll  14.10.25028.0  Microsoft® C Runtime Library
msvcp60.dll  7.0.18362.1  Windows NT C++ Runtime Library DLL
msvcr100.dll  10.0.40219.325  Microsoft® C Runtime Library
msvcr100_clr0400.dll  14.8.3752.0  Microsoft® .NET Framework
msvcr110.dll  11.0.51106.1  Microsoft® C Runtime Library
msvcr120.dll  12.0.21005.1  Microsoft® C Runtime Library
msvcr120_clr0400.dll  12.0.52519.0  Microsoft® C Runtime Library
msvcrt.dll  7.0.18362.1  Windows NT CRT DLL
msvcrt20.dll  2.12.0.0  Microsoft® C Runtime Library
msvcrt40.dll  10.0.18362.1  VC 4.x CRT DLL (Forwarded to msvcrt.dll)
msvfw32.dll  10.0.18362.1  Microsoft Video for Windows DLL
msvidc32.dll  10.0.18362.1  Microsoft Video 1 Compressor
msvidctl.dll  6.5.18362.1  ActiveX control for streaming video
msvideodsp.dll  10.0.18362.1  Video Stabilization MFT
msvp9dec.dll  10.0.18362.1  Windows VP9 Video Decoder
msvproc.dll  10.0.18362.387  Media Foundation Video Processor
msvpxenc.dll  10.0.18362.1  Windows VPX Video Encoder
mswb7.dll  10.0.18362.1  MSWB7 DLL
mswb70804.dll  10.0.18362.1  MSWB7EA DLL
mswdat10.dll  4.0.9801.0  Microsoft Jet Sort Tables
mswebp.dll  10.0.18362.1  WEBP DLL
mswmdm.dll  12.0.18362.1  Windows Media Device Manager Core
mswsock.dll  10.0.18362.1  Microsoft Windows Sockets 2.0 Service Provider
mswstr10.dll  4.0.9801.1  Microsoft Jet Sort Library
msxactps.dll  10.0.18362.1  OLE DB Transaction Proxies/Stubs
msxbde40.dll  4.0.9801.18  Microsoft Jet xBASE Isam
msxml3.dll  8.110.18362.239  MSXML 3.0
msxml3r.dll  8.110.18362.239  XML Resources
msxml6.dll  6.30.18362.418  MSXML 6.0
msxml6r.dll  6.30.18362.418  XML Resources
msyuv.dll  10.0.18362.1  Microsoft UYVY Video Decompressor
mtf.dll  10.0.18362.1  "MTF.DYNLINK"
mtxclu.dll  2001.12.10941.16384  Microsoft Distributed Transaction Coordinator Failover Clustering Support DLL
mtxdm.dll  2001.12.10941.16384  COM+
mtxex.dll  2001.12.10941.16384  COM+
mtxlegih.dll  2001.12.10941.16384  COM+
mtxoci.dll  2001.12.10941.16384  Microsoft Distributed Transaction Coordinator Database Support DLL for Oracle
muifontsetup.dll  10.0.18362.1  MUI Callback for font registry settings
mycomput.dll  10.0.18362.1  Computer Management
mydocs.dll  10.0.18362.1  My Documents Folder UI
napcrypt.dll  10.0.18362.1  NAP Cryptographic API helper
napinsp.dll  10.0.18362.1  E-mail Naming Shim Provider
naturallanguage6.dll  10.0.18362.1  Natural Language Development Platform 6
ncdprop.dll  10.0.18362.1  Advanced network device properties
nci.dll  10.0.18362.1  CoInstaller: NET
ncobjapi.dll  10.0.18362.1  Microsoft® Windows® Operating System
ncrypt.dll  10.0.18362.1  Windows NCrypt Router
ncryptprov.dll  10.0.18362.295  Microsoft KSP
ncryptsslp.dll  10.0.18362.1  Microsoft SChannel Provider
nddeapi.dll  10.0.18362.1  Network DDE Share Management APIs
ndfapi.dll  10.0.18362.1  Network Diagnostic Framework Client API
ndfetw.dll  10.0.18362.1  Network Diagnostic Engine Event Interface
ndfhcdiscovery.dll  10.0.18362.1  Network Diagnostic Framework HC Discovery API
ndishc.dll  10.0.18362.1  NDIS Helper Classes
ndproxystub.dll  10.0.18362.1  Network Diagnostic Engine Proxy/Stub
negoexts.dll  10.0.18362.1  NegoExtender Security Package
netapi32.dll  10.0.18362.1  Net Win32 API DLL
netbios.dll  10.0.18362.1  NetBIOS Interface Library
netcenter.dll  10.0.18362.1  Network Center control panel
netcfgx.dll  10.0.18362.1  Network Configuration Objects
netcorehc.dll  10.0.18362.1  Networking Core Diagnostics Helper Classes
netdiagfx.dll  10.0.18362.1  Network Diagnostic Framework
netdriverinstall.dll  10.0.18362.628  Network Driver Installation
netevent.dll  10.0.18362.1  Net Event Handler
netfxperf.dll  10.0.18362.1  Extensible Performance Counter Shim
neth.dll  10.0.18362.1  Net Help Messages DLL
netid.dll  10.0.18362.1  System Control Panel Applet; Network ID Page
netiohlp.dll  10.0.18362.1  Netio Helper DLL
netjoin.dll  10.0.18362.1  Domain Join DLL
netlogon.dll  10.0.18362.628  Net Logon Services DLL
netmsg.dll  10.0.18362.1  Net Messages DLL
netplwiz.dll  10.0.18362.329  Map Network Drives/Network Places Wizard
netprofm.dll  10.0.18362.1  Network List Manager
netprovfw.dll  10.0.18362.1  Provisioning Service Framework DLL
netprovisionsp.dll  10.0.18362.1  Provisioning Service Provider DLL
netsetupapi.dll  10.0.18362.628  Network Configuration API
netsetupengine.dll  10.0.18362.628  Network Configuration Engine
netsetupshim.dll  10.0.18362.1  Network Configuration API
netshell.dll  10.0.18362.1  Network Connections Shell
netutils.dll  10.0.18362.1  Net Win32 API Helpers DLL
networkcollectionagent.dll  11.0.18362.1  Network Collection Agent
networkexplorer.dll  10.0.18362.1  Network Explorer
networkhelper.dll  10.0.18362.1  Network utilities for mail, contacts, calendar
networkitemfactory.dll  10.0.18362.1  NetworkItem Factory
newdev.dll  6.0.5054.0  Add Hardware Device Library
ngccredprov.dll  10.0.18362.329  Microsoft Passport Credential Provider
ngckeyenum.dll  10.0.18362.1  Microsoft Passport Key Enumeration Manager
ngcksp.dll  10.0.18362.1  Microsoft Passport Key Storage Provider
ngclocal.dll  10.0.18362.1  NGC Local Account APIs
ninput.dll  10.0.18362.1  Microsoft Pen and Touch Input Component
nl7data0804.dll  10.0.18362.1  Microsoft Chinese Simplified Natural Language Data and Code
nlaapi.dll  10.0.18362.1  Network Location Awareness 2
nlhtml.dll  2008.0.18362.1  HTML filter
nlmgp.dll  10.0.18362.1  Network List Manager Snapin
nlmproxy.dll  10.0.18362.1  Network List Manager Public Proxy
nlmsprep.dll  10.0.18362.1  Network List Manager Sysprep Module
nlsbres.dll  10.0.18362.1  NLSBuild resource DLL
nlsdata0000.dll  10.0.18362.1  Microsoft Neutral Natural Language Server Data and Code
nlsdata0009.dll  10.0.18362.1  Microsoft English Natural Language Server Data and Code
nlsdl.dll  10.0.18362.1  Nls Downlevel DLL
nmadirect.dll  10.0.18362.1  Nma Direct
normaliz.dll  10.0.18362.1  Unicode Normalization DLL
npmproxy.dll  10.0.18362.1  Network List Manager Proxy
npsm.dll  10.0.18362.1  NPSM
npsmdesktopprovider.dll  10.0.18362.1  <d> NPSM Desktop Local Provider DLL
nshhttp.dll  10.0.18362.1  HTTP netsh DLL
nshipsec.dll  10.0.18362.1  Net Shell IP Security helper DLL
nshwfp.dll  10.0.18362.329  Windows Filtering Platform Netsh Helper
nsi.dll  10.0.18362.449  NSI User-mode interface DLL
ntasn1.dll  10.0.18362.1  Microsoft ASN.1 API
ntdll.dll  10.0.18362.719  NT Layer DLL
ntdsapi.dll  10.0.18362.1  Active Directory Domain Services API
ntlanman.dll  10.0.18362.1  Microsoft® Lan Manager
ntlanui2.dll  10.0.18362.1  Network object shell UI
ntlmshared.dll  10.0.18362.418  NTLM Shared Functionality
ntmarta.dll  10.0.18362.1  Windows NT MARTA provider
ntprint.dll  10.0.18362.1  Spooler Setup DLL
ntshrui.dll  10.0.18362.329  Shell extensions for sharing
ntvdm64.dll  10.0.18362.1  16-bit Emulation on NT64
objsel.dll  10.0.18362.1  Object Picker Dialog
occache.dll  11.0.18362.1  Object Control Viewer
ocsetapi.dll  10.0.18362.1  Windows Optional Component Setup API
odbc32.dll  10.0.18362.693  ODBC Driver Manager
odbcbcp.dll  10.0.18362.1  BCP for ODBC
odbcconf.dll  10.0.18362.1  ODBC Driver Configuration Program
odbccp32.dll  10.0.18362.1  ODBC Installer
odbccr32.dll  10.0.18362.1  ODBC Cursor Library
odbccu32.dll  10.0.18362.1  ODBC Cursor Library
odbcint.dll  10.0.18362.1  ODBC Resources
odbcji32.dll  10.0.18362.1  Microsoft ODBC Desktop Driver Pack 3.5
odbcjt32.dll  10.0.18362.1  Microsoft ODBC Desktop Driver Pack 3.5
odbctrac.dll  10.0.18362.1  ODBC Driver Manager Trace
oddbse32.dll  10.0.18362.1  ODBC (3.0) driver for DBase
odexl32.dll  10.0.18362.1  ODBC (3.0) driver for Excel
odfox32.dll  10.0.18362.1  ODBC (3.0) driver for FoxPro
odpdx32.dll  10.0.18362.1  ODBC (3.0) driver for Paradox
odtext32.dll  10.0.18362.1  ODBC (3.0) driver for text files
oemlicense.dll  10.0.18362.1  Client Licensing Platform Client Provisioning
offfilt.dll  2008.0.18362.1  OFFICE Filter
offlinelsa.dll  10.0.18362.1  Windows
offlinesam.dll  10.0.18362.1  Windows
offreg.dll  10.0.18362.295  Offline registry DLL
ole2.dll  3.10.0.103  Windows Win16 Application Launcher
ole2disp.dll  3.10.0.103  Windows Win16 Application Launcher
ole2nls.dll  3.10.0.103  Windows Win16 Application Launcher
ole32.dll  10.0.18362.693  Microsoft OLE for Windows
oleacc.dll  7.2.18362.1  Active Accessibility Core Component
oleacchooks.dll  7.2.18362.1  Active Accessibility Event Hooks Library
oleaccrc.dll  7.2.18362.1  Active Accessibility Resource DLL
oleaut32.dll  10.0.18362.693  OLEAUT32.DLL
olecli32.dll  10.0.18362.1  Object Linking and Embedding Client Library
oledb32.dll  10.0.18362.1  OLE DB Core Services
oledb32r.dll  10.0.18362.1  OLE DB Core Services Resources
oledlg.dll  10.0.18362.1  OLE User Interface Support
oleprn.dll  10.0.18362.207  Oleprn DLL
olepro32.dll  10.0.18362.113  OLEPRO32.DLL
olesvr32.dll  10.0.18362.1  Object Linking and Embedding Server Library
olethk32.dll  10.0.18362.1  Microsoft OLE for Windows
omadmapi.dll  10.0.18362.693  omadmapi
ondemandbrokerclient.dll  10.0.18362.1  OnDemandBrokerClient
ondemandconnroutehelper.dll  10.0.18362.1  On Demand Connctiond Route Helper
onecorecommonproxystub.dll  10.0.18362.1  OneCore Common Proxy Stub
onecoreuapcommonproxystub.dll  10.0.18362.449  OneCoreUAP Common Proxy Stub
onedrivesettingsyncprovider.dll  10.0.18362.1  OneDrive Setting Sync
onex.dll  10.0.18362.1  IEEE 802.1X supplicant library
onexui.dll  10.0.18362.1  IEEE 802.1X supplicant UI library
opcservices.dll  10.0.18362.1  Native Code OPC Services Library
opencl.dll  2.2.1.0  OpenCL Client DLL
opengl32.dll  10.0.18362.387  OpenGL Client DLL
ortcengine.dll  2018.6.1.57  Microsoft Skype ORTC Engine
osbaseln.dll  10.0.18362.1  Service Reporting API
osuninst.dll  10.0.18362.1  Uninstall Interface
p2p.dll  10.0.18362.295  Peer-to-Peer Grouping
p2pgraph.dll  10.0.18362.295  Peer-to-Peer Graphing
p2pnetsh.dll  10.0.18362.295  Peer-to-Peer NetSh Helper
packager.dll  10.0.18362.1  Object Packager2
packagestateroaming.dll  10.0.18362.1  Package State Roaming
panmap.dll  10.0.18362.1  PANOSE(tm) Font Mapper
pautoenr.dll  10.0.18362.1  Auto Enrollment DLL
payloadrestrictions.dll  10.0.18362.1  Payload Restrictions Mitigation Provider
paymentmediatorserviceproxy.dll  10.0.18362.1  Payment Mediator Service Proxy
pcacli.dll  10.0.18362.1  Program Compatibility Assistant Client Module
pcaui.dll  10.0.18362.1  Program Compatibility Assistant User Interface Module
pcpksp.dll  10.0.18362.1  Microsoft Platform Key Storage Provider for Platform Crypto Provider
pcshellcommonproxystub.dll  10.0.18362.1  PCShell Common Proxy Stub
pcwum.dll  10.0.18362.1  Performance Counters for Windows Native DLL
pdh.dll  10.0.18362.1  Windows Performance Data Helper DLL
pdhui.dll  10.0.18362.1  PDH UI
peopleapis.dll  10.0.18362.1  DLL for PeopleRT
perceptiondevice.dll  10.0.18362.1  Perception Device
perceptionsimulation.proxystubs.dll  10.0.18362.1  Windows Perception Simulation Proxy Stubs
perfctrs.dll  10.0.18362.1  Performance Counters
perfdisk.dll  10.0.18362.1  Windows Disk Performance Objects DLL
perfnet.dll  10.0.18362.1  Windows Network Service Performance Objects DLL
perfos.dll  10.0.18362.1  Windows System Performance Objects DLL
perfproc.dll  10.0.18362.1  Windows System Process Performance Objects DLL
perfts.dll  10.0.18362.1  Windows Remote Desktop Services Performance Objects
personax.dll  10.0.18362.1  PersonaX
phonecallhistoryapis.dll  10.0.18362.1  DLL for PhoneCallHistoryRT
phoneom.dll  10.0.18362.1  Phone Object Model
phoneplatformabstraction.dll  10.0.18362.1  Phone Platform Abstraction
phoneutil.dll  10.0.18362.1  Phone utilities
phoneutilres.dll  10.0.18362.1  Resource DLL for Phone utilities
photometadatahandler.dll  10.0.18362.1  Photo Metadata Handler
photowiz.dll  10.0.18362.1  Photo Printing Wizard
pickerplatform.dll  10.0.18362.1  PickerPlatform
pid.dll  10.0.18362.1  Microsoft PID
pidgenx.dll  10.0.18362.1  Pid Generation
pifmgr.dll  10.0.18362.1  Windows NT PIF Manager Icon Resources Library
pimindexmaintenanceclient.dll  10.0.18362.1  Client dll for Pim Index Maintenance
pimstore.dll  10.0.18362.1  POOM
pku2u.dll  10.0.18362.1  Pku2u Security Package
pla.dll  10.0.18362.1  Performance Logs & Alerts
playlistfolder.dll  10.0.18362.1  Playlist Folder
playsndsrv.dll  10.0.18362.1  PlaySound Service
playtodevice.dll  10.0.18362.1  PLAYTODEVICE DLL
playtomanager.dll  10.0.18362.1  Microsoft Windows PlayTo Manager
playtomenu.dll  12.0.18362.1  Cast to Device Menu DLL
playtoreceiver.dll  10.0.18362.1  DLNA DMR DLL
playtostatusprovider.dll  10.0.18362.1  PlayTo Status Provider Dll
pngfilt.dll  11.0.18362.1  IE PNG plugin image decoder
pnrpnsp.dll  10.0.18362.1  PNRP Name Space Provider
policymanager.dll  10.0.18362.387  Policy Manager DLL
polstore.dll  10.0.18362.1  Policy Storage dll
portabledeviceapi.dll  10.0.18362.1  Windows Portable Device API Components
portabledeviceclassextension.dll  10.0.18362.1  Windows Portable Device Class Extension Component
portabledeviceconnectapi.dll  10.0.18362.1  Portable Device Connection API Components
portabledevicestatus.dll  10.0.18362.1  Microsoft Windows Portable Device Status Provider
portabledevicesyncprovider.dll  10.0.18362.1  Microsoft Windows Portable Device Provider.
portabledevicetypes.dll  10.0.18362.1  Windows Portable Device (Parameter) Types Component
portabledevicewiacompat.dll  10.0.18362.1  PortableDevice WIA Compatibility Driver
posyncservices.dll  10.0.18362.1  Change Tracking
pots.dll  10.0.18362.1  Power Troubleshooter
powercpl.dll  10.0.18362.1  Power Options Control Panel
powrprof.dll  10.0.18362.1  Power Profile Helper DLL
presentationhostproxy.dll  10.0.18362.1  Windows Presentation Foundation Host Proxy
prflbmsg.dll  10.0.18362.1  Perflib Event Messages
print.workflow.source.dll  10.0.18362.1  Microsoft Windows Print Workflow Source App Library
printconfig.dll  0.3.18362.145  PrintConfig User Interface
printplatformconfig.dll  10.0.18362.1  Legacy Print Platform Adapter
printui.dll  10.0.18362.1  Printer Settings User Interface
printworkflowproxy.dll  10.0.18362.1  Microsoft Windows Print Workflow Proxy
printworkflowservice.dll  10.0.18362.1  Microsoft Windows Print Workflow Service Internal
printwsdahost.dll  10.0.18362.1  PrintWSDAHost
prncache.dll  10.0.18362.1  Print UI Cache
prnfldr.dll  10.0.18362.1  prnfldr dll
prnntfy.dll  10.0.18362.1  prnntfy DLL
prntvpt.dll  10.0.18362.387  Print Ticket Services Module
profapi.dll  10.0.18362.693  User Profile Basic API
profext.dll  10.0.18362.719  profext
propsys.dll  7.0.18362.267  Microsoft Property System
provcore.dll  10.0.18362.1  Microsoft Wireless Provisioning Core
provisioningcommandscsp.dll  10.0.18362.1  Provisioning package command configuration service provider
provmigrate.dll  10.0.18362.1  Provisioning Migration Handler
provplatformdesktop.dll  10.0.18362.207  Provisioning platform for desktop editions
provsvc.dll  10.0.18362.1  Windows HomeGroup
provthrd.dll  10.0.18362.1  WMI Provider Thread & Log Library
proximitycommon.dll  10.0.18362.1  Proximity Common Implementation
proximitycommonpal.dll  10.0.18362.1  Proximity Common PAL
proximityrtapipal.dll  10.0.18362.1  Proximity WinRT API PAL
prvdmofcomp.dll  10.0.18362.1  WMI
psapi.dll  10.0.18362.1  Process Status Helper
pshed.dll  10.0.18362.1  Platform Specific Hardware Error Driver
psisdecd.dll  10.0.18362.1  Microsoft SI/PSI parser for MPEG2 based networks.
psmodulediscoveryprovider.dll  10.0.18362.1  WMI
pstorec.dll  10.0.18362.1  Deprecated Protected Storage COM interfaces
puiapi.dll  10.0.18362.628  puiapi DLL
puiobj.dll  10.0.18362.628  PrintUI Objects DLL
pwrshplugin.dll  10.0.18362.1  pwrshplugin.dll
qasf.dll  12.0.18362.1  DirectShow ASF Support
qcap.dll  10.0.18362.1  DirectShow Runtime.
qdv.dll  10.0.18362.1  DirectShow Runtime.
qdvd.dll  10.0.18362.1  DirectShow DVD PlayBack Runtime.
qedit.dll  10.0.18362.1  DirectShow Editing.
qedwipes.dll  10.0.18362.1  DirectShow Editing SMPTE Wipes
quartz.dll  10.0.18362.1  DirectShow Runtime.
query.dll  10.0.18362.1  Content Index Utility DLL
qwave.dll  10.0.18362.1  Windows NT
racengn.dll  10.0.18362.1  Reliability analysis metrics calculation engine
racpldlg.dll  10.0.18362.1  Remote Assistance Contact List
radardt.dll  10.0.18362.1  Microsoft Windows Resource Exhaustion Detector
radarrs.dll  10.0.18362.1  Microsoft Windows Resource Exhaustion Resolver
radcui.dll  10.0.18362.1  RemoteApp and Desktop Connection UI Component
rasadhlp.dll  10.0.18362.1  Remote Access AutoDial Helper
rasapi32.dll  10.0.18362.387  Remote Access API
raschap.dll  10.0.18362.1  Remote Access PPP CHAP
raschapext.dll  10.0.18362.1  Windows Extension library for raschap
rasctrs.dll  10.0.18362.1  Windows NT Remote Access Perfmon Counter dll
rasdiag.dll  10.0.18362.1  RAS Diagnostics Helper Classes
rasdlg.dll  10.0.18362.1  Remote Access Common Dialog API
rasgcw.dll  10.0.18362.1  RAS Wizard Pages
rasman.dll  10.0.18362.1  Remote Access Connection Manager
rasmontr.dll  10.0.18362.1  RAS Monitor DLL
rasplap.dll  10.0.18362.1  RAS PLAP Credential Provider
rasppp.dll  10.0.18362.1  Remote Access PPP
rastapi.dll  10.0.18362.267  Remote Access TAPI Compliance Layer
rastls.dll  10.0.18362.207  Remote Access PPP EAP-TLS
rastlsext.dll  10.0.18362.1  Windows Extension library for rastls
rdpbase.dll  10.0.18362.657  Rdp OneCore Base Services
rdpcore.dll  10.0.18362.693  RDP Core DLL
rdpencom.dll  10.0.18362.657  RDPSRAPI COM Objects
rdpendp.dll  10.0.18362.1  RDP Audio Endpoint
rdpsaps.dll  10.0.18362.1  RDP Session Agent Proxy Stub
rdpserverbase.dll  10.0.18362.657  Rdp Server OneCore Base Services
rdpsharercom.dll  10.0.18362.693  RDPSRAPI Sharer COM Objects
rdpviewerax.dll  10.0.18362.657  RDPSRAPI Viewer COM Objects and ActiveX
rdvvmtransport.dll  10.0.18362.387  RdvVmTransport EndPoints
reagent.dll  10.0.18362.657  Microsoft Windows Recovery Agent DLL
regapi.dll  10.0.18362.628  Registry Configuration APIs
regctrl.dll  10.0.18362.1  RegCtrl
reguwpapi.dll  10.0.18362.1  UWP Registry API
reinfo.dll  10.0.18362.1  Microsoft Windows Recovery Info DLL
remoteaudioendpoint.dll  10.0.18362.628  Remote Audio Endpoint
remotepg.dll  10.0.18362.1  Remote Sessions CPL Extension
removedevicecontexthandler.dll  10.0.18362.1  Devices & Printers Remove Device Context Menu Handler
removedeviceelevated.dll  10.0.18362.1  RemoveDeviceElevated Proxy Dll
resampledmo.dll  10.0.18362.1  Windows Media Resampler
resourcepolicyclient.dll  10.0.18362.1  Resource Policy Client
resutils.dll  10.0.18362.628  Microsoft Cluster Resource Utility DLL
rgb9rast.dll  10.0.18362.1  Microsoft® Windows® Operating System
riched20.dll  5.31.23.1231  Rich Text Edit Control, v3.1
riched32.dll  10.0.18362.1  Wrapper Dll for Richedit 1.0
rmclient.dll  10.0.18362.267  Resource Manager Client
rnr20.dll  10.0.18362.1  Windows Socket2 NameSpace DLL
rometadata.dll  4.8.3673.0  Microsoft MetaData Library
rpchttp.dll  10.0.18362.1  RPC HTTP DLL
rpcns4.dll  10.0.18362.1  Remote Procedure Call Name Service Client
rpcnsh.dll  10.0.18362.1  RPC Netshell Helper
rpcrt4.dll  10.0.18362.628  Remote Procedure Call Runtime
rpcrtremote.dll  10.0.18362.1  Remote RPC Extension
rsaenh.dll  10.0.18362.1  Microsoft Enhanced Cryptographic Provider
rshx32.dll  10.0.18362.1  Security Shell Extension
rstrtmgr.dll  10.0.18362.1  Restart Manager
rtffilt.dll  2008.0.18362.1  RTF Filter
rtm.dll  10.0.18362.693  Routing Table Manager
rtmcodecs.dll  2018.6.1.57  Microsoft Real Time Media Codec Library
rtmediaframe.dll  10.0.18362.1  Windows Runtime MediaFrame DLL
rtmmvrortc.dll  2018.6.1.57  Microsoft Real Time Media ORTC Video Renderer
rtmpal.dll  2018.6.1.57  Microsoft Real Time Media Stack PAL
rtmpltfm.dll  2018.6.1.57  Microsoft Real Time Media Stack
rtutils.dll  10.0.18362.657  Routing Utilities
rtworkq.dll  10.0.18362.1  Realtime WorkQueue DLL
samcli.dll  10.0.18362.1  Security Accounts Manager Client DLL
samlib.dll  10.0.18362.1  SAM Library DLL
sas.dll  10.0.18362.1  WinLogon Software SAS Library
sbe.dll  10.0.18362.1  DirectShow Stream Buffer Filter.
sbeio.dll  12.0.18362.1  Stream Buffer IO DLL
sberes.dll  10.0.18362.1  DirectShow Stream Buffer Filter Resouces.
scansetting.dll  10.0.18362.1  Microsoft® Windows(TM) ScanSettings Profile and Scanning implementation
scarddlg.dll  10.0.18362.1  SCardDlg - Smart Card Common Dialog
scecli.dll  10.0.18362.719  Windows Security Configuration Editor Client Engine
scesrv.dll  10.0.18362.1  Windows Security Configuration Editor Engine
schannel.dll  10.0.18362.418  TLS / SSL Security Provider
schedcli.dll  10.0.18362.1  Scheduler Service Client DLL
scksp.dll  10.0.18362.1  Microsoft Smart Card Key Storage Provider
scripto.dll  6.6.18362.1  Microsoft ScriptO
scrobj.dll  5.812.10240.16384  Windows ® Script Component Runtime
scrrun.dll  5.812.10240.16384  Microsoft ® Script Runtime
sdiageng.dll  10.0.18362.1  Scripted Diagnostics Execution Engine
sdiagprv.dll  10.0.18362.1  Windows Scripted Diagnostic Provider API
sdohlp.dll  10.0.18362.1  NPS SDO Helper Component
search.protocolhandler.mapi2.dll  7.0.18362.719  Microsoft Search Protocol Handler for MAPI2
searchfolder.dll  10.0.18362.329  SearchFolder
sechost.dll  10.0.18362.693  Host for SCM/SDDL/LSA Lookup APIs
secproc.dll  10.0.18362.388  Windows Rights Management Desktop Security Processor
secproc_isv.dll  10.0.18362.1  Windows Rights Management Desktop Security Processor
secproc_ssp.dll  10.0.18362.1  Windows Rights Management Services Server Security Processor
secproc_ssp_isv.dll  10.0.18362.1  Windows Rights Management Services Server Security Processor (Pre-production)
secur32.dll  10.0.18362.1  Security Support Provider Interface
security.dll  10.0.18362.1  Security Support Provider Interface
securitycenterbrokerps.dll  10.0.18362.1  SecurityCenterBrokerPS
semgrps.dll  10.0.18362.1  SEMgrSvc Proxy
sendmail.dll  10.0.18362.1  Send Mail
sensapi.dll  10.0.18362.1  SENS Connectivity API DLL
sensorsapi.dll  10.0.18362.1  Sensor API
sensorscpl.dll  10.0.18362.1  Open Location and Other Sensors
sensorsnativeapi.dll  10.0.18362.1  Sensors Native API
sensorsnativeapi.v2.dll  10.0.18362.1  Sensors Native API (V2 stack)
sensorsutilsv2.dll  10.0.18362.1  Sensors v2 Utilities DLL
serialui.dll  10.0.18362.1  Serial Port Property Pages
serwvdrv.dll  10.0.18362.1  Unimodem Serial Wave driver
sessenv.dll  10.0.18362.387  Remote Desktop Configuration service
settingmonitor.dll  10.0.18362.1  Setting Synchronization Change Monitor
settingsync.dll  10.0.18362.1  Setting Synchronization
settingsynccore.dll  10.0.18362.239  Setting Synchronization Core
setupapi.dll  10.0.18362.1  Windows Setup API
setupcln.dll  10.0.18362.1  Setup Files Cleanup
sfc.dll  10.0.18362.1  Windows File Protection
sfc_os.dll  10.0.18362.1  Windows File Protection
sgx_enclave_common.dll  2.4.100.51291  Intel® SGX Enclave Common DLL
sgx_uae_service.dll  2.4.100.51291  Intel® SGX AE Service DLL
sgx_urts.dll  2.4.100.51291  Intel® SGX Runtime System DLL
shacct.dll  10.0.18362.1  Shell Accounts Classes
shacctprofile.dll  10.0.18362.1  Shell Accounts Profile Classes
sharehost.dll  10.0.18362.1  ShareHost
shcore.dll  10.0.18362.1  SHCORE
shdocvw.dll  10.0.18362.1  Shell Doc Object and Control Library
shell32.dll  10.0.18362.719  Windows Shell Common Dll
shellcommoncommonproxystub.dll  10.0.18362.1  ShellCommon Common Proxy Stub
shellstyle.dll  10.0.18362.1  Windows Shell Style Resource Dll
shfolder.dll  10.0.18362.1  Shell Folder Service
shgina.dll  10.0.18362.1  Windows Shell User Logon
shimeng.dll  10.0.18362.1  Shim Engine DLL
shimgvw.dll  10.0.18362.1  Photo Gallery Viewer
shlwapi.dll  10.0.18362.1  Shell Light-weight Utility Library
shpafact.dll  10.0.18362.1  Windows Shell LUA/PA Elevation Factory Dll
shsetup.dll  10.0.18362.1  Shell setup helper
shsvcs.dll  10.0.18362.1  Windows Shell Services Dll
shunimpl.dll  10.0.18362.1  Windows Shell Obsolete APIs
shutdownext.dll  10.0.18362.1  Shutdown Graphic User Interface
shwebsvc.dll  10.0.18362.1  Windows Shell Web Services
signdrv.dll  10.0.18362.1  WMI provider for Signed Drivers
simauth.dll  10.0.18362.1  EAP SIM run-time dll
simcfg.dll  10.0.18362.1  EAP SIM config dll
slc.dll  10.0.18362.1  Software Licensing Client Dll
slcext.dll  10.0.18362.1  Software Licensing Client Extension Dll
slwga.dll  10.0.18362.1  Software Licensing WGA API
smartcardcredentialprovider.dll  10.0.18362.1  Windows Smartcard Credential Provider
smartscreenps.dll  10.0.18362.1  SmartScreenPS
smbhelperclass.dll  1.0.0.1  SMB (File Sharing) Helper Class for Network Diagnostic Framework
smphost.dll  10.0.18362.1  Storage Management Provider (SMP) host service
sndvolsso.dll  10.0.18362.1  SCA Volume
snmpapi.dll  10.0.18362.1  SNMP Utility Library
socialapis.dll  10.0.18362.1  DLL for SocialRT
softkbd.dll  10.0.18362.1  Soft Keyboard Server and Tip
softpub.dll  10.0.18362.1  Softpub Forwarder DLL
sortserver2003compat.dll  10.0.18362.1  Sort Version Server 2003
sortwindows61.dll  10.0.18362.1  SortWindows61 Dll
sortwindows6compat.dll  10.0.18362.1  Sort Version Windows 6.0
spacebridge.dll  10.0.18362.1  SpaceBridge
spatializerapo.dll  10.0.18362.1  Spatializer APO
spbcd.dll  10.0.18362.1  BCD Sysprep Plugin
spfileq.dll  10.0.18362.1  Windows SPFILEQ
spinf.dll  10.0.18362.1  Windows SPINF
spnet.dll  10.0.18362.1  Net Sysprep Plugin
spopk.dll  10.0.18362.1  OPK Sysprep Plugin
spp.dll  10.0.18362.1  Microsoft® Windows Shared Protection Point Library
sppc.dll  10.0.18362.1  Software Licensing Client Dll
sppcext.dll  10.0.18362.1  Software Protection Platform Client Extension Dll
sppcomapi.dll  10.0.18362.693  Software Licensing Library
sppinst.dll  10.0.18362.1  SPP CMI Installer Plug-in DLL
sppwmi.dll  10.0.18362.1  Software Protection Platform WMI provider
spwinsat.dll  10.0.18362.1  WinSAT Sysprep Plugin
spwizeng.dll  10.0.18362.1  Setup Wizard Framework
spwmp.dll  12.0.18362.449  Windows Media Player System Preparation DLL
sqlcecompact40.dll  4.0.8275.1  Database Repair Tool (32-bit)
sqlceoledb40.dll  4.0.18362.1  OLEDB Provider (32-bit)
sqlceqp40.dll  4.0.18362.1  Query Processor (32-bit)
sqlcese40.dll  4.0.18362.1  Storage Engine (32-bit)
sqloledb.dll  10.0.18362.1  OLE DB Provider for SQL Server
sqlsrv32.dll  10.0.18362.1  SQL Server ODBC Driver
sqlunirl.dll  2000.80.2039.0  String Function .DLL for SQL Enterprise Components
sqlwid.dll  2000.80.2039.0  Unicode Function .DLL for SQL Enterprise Components
sqlwoa.dll  2000.80.2040.0  Unicode/ANSI Function .DLL for SQL Enterprise Components
sqlxmlx.dll  10.0.18362.1  XML extensions for SQL Server
sqmapi.dll  10.0.18362.1  SQM Client
srchadmin.dll  7.0.18362.1  Indexing Options
srclient.dll  10.0.18362.1  Microsoft® Windows System Restore Client Library
srpapi.dll  10.0.18362.1  SRP APIs Dll
srumapi.dll  10.0.18362.1  System Resource Usage Monitor API
srumsvc.dll  10.0.18362.1  System Resource Usage Monitor Service
srvcli.dll  10.0.18362.1  Server Service Client DLL
sscore.dll  10.0.18362.1  Server Service Core DLL
ssdm.dll    
ssdpapi.dll  10.0.18362.1  SSDP Client API DLL
sspicli.dll  10.0.18362.1  Security Support Provider Interface
ssshim.dll  10.0.18362.1  Windows Componentization Platform Servicing API
startupscan.dll  10.0.18362.1  Startup scan task DLL
staterepository.core.dll  10.0.18362.1  StateRepository Core
stclient.dll  2001.12.10941.16384  COM+ Configuration Catalog Client
sti.dll  10.0.18362.592  Still Image Devices client DLL
stobject.dll  10.0.18362.1  Systray shell service object
storage.dll  3.10.0.103  Windows Win16 Application Launcher
storagecontexthandler.dll  10.0.18362.1  Device Center Storage Context Menu Handler
storagewmi.dll  10.0.18362.1  WMI Provider for Storage Management
storagewmi_passthru.dll  10.0.18362.1  WMI PassThru Provider for Storage Management
storprop.dll  10.0.18362.1  Property Pages for Storage Devices
structuredquery.dll  7.0.18362.657  Structured Query
sud.dll  10.0.18362.387  SUD Control Panel
sxproxy.dll  10.0.18362.1  Microsoft® Windows System Protection Proxy Library
sxs.dll  10.0.18362.719  Fusion 2.5
sxshared.dll  10.0.18362.1  Microsoft® Windows SX Shared Library
sxsstore.dll  10.0.18362.1  Sxs Store DLL
synccenter.dll  10.0.18362.1  Microsoft Sync Center
synccontroller.dll  10.0.18362.295  SyncController for managing sync of mail, contacts, calendar
synchostps.dll  10.0.18362.1  Proxystub for sync host
syncinfrastructure.dll  10.0.18362.1  Microsoft Windows Sync Infrastructure.
syncinfrastructureps.dll  10.0.18362.1  Microsoft Windows sync infrastructure proxy stub.
syncproxy.dll  10.0.18362.1  SyncProxy for RPC communication about sync of mail, contacts, calendar
syncreg.dll  2007.94.18362.1  Microsoft Synchronization Framework Registration
syncres.dll  10.0.18362.1  ActiveSync Resources
syncsettings.dll  10.0.18362.1  Sync Settings
syncutil.dll  10.0.18362.1  Sync utilities for mail, contacts, calendar
syssetup.dll  10.0.18362.1  Windows NT System Setup
systemcpl.dll  10.0.18362.1  My System CPL
systemeventsbrokerclient.dll  10.0.18362.1  system Events Broker Client Library
systemsettings.datamodel.dll  10.0.18362.1  SystemSettings.Datamodel private API
systemsupportinfo.dll  10.0.18362.1  Microsoft Windows operating system.
t2embed.dll  10.0.18362.535  Microsoft T2Embed Font Embedding
tapi3.dll  10.0.18362.1  Microsoft TAPI3
tapi32.dll  10.0.18362.1  Microsoft® Windows(TM) Telephony API Client DLL
tapimigplugin.dll  10.0.18362.1  Microsoft® Windows(TM) TAPI Migration Plugin Dll
tapiperf.dll  10.0.18362.1  Microsoft® Windows(TM) Telephony Performance Monitor
tapisrv.dll  10.0.18362.657  Microsoft® Windows(TM) Telephony Server
tapisysprep.dll  10.0.18362.1  Microsoft® Windows(TM) Telephony Sysprep Work
tapiui.dll  10.0.18362.1  Microsoft® Windows(TM) Telephony API UI DLL
taskapis.dll  10.0.18362.1  DLL for TaskRT
taskcomp.dll  10.0.18362.175  Task Scheduler Backward Compatibility Plug-in
taskschd.dll  10.0.18362.387  Task Scheduler COM API
taskschdps.dll  10.0.18362.1  Task Scheduler Interfaces Proxy
tbauth.dll  10.0.18362.267  TBAuth protocol handler
tbs.dll  10.0.18362.693  TBS
tcpipcfg.dll  10.0.18362.1  Network Configuration Objects
tcpmib.dll  10.0.18362.1  Standard TCP/IP Port Monitor Helper DLL
tcpmonui.dll  10.0.18362.1  Standard TCP/IP Port Monitor UI DLL
tdh.dll  10.0.18362.329  Event Trace Helper Library
teemanagement.dll  1.34.2019.714  Intel(R) Dynamic Application Loader Host Interface DLL
tempsignedlicenseexchangetask.dll  10.0.18362.1  TempSignedLicenseExchangeTask Task
termmgr.dll  10.0.18362.1  Microsoft TAPI3 Terminal Manager
tetheringclient.dll  10.0.18362.1  Tethering Client
textinputframework.dll  10.0.18362.207  "TextInputFramework.DYNLINK"
textinputmethodformatter.dll    
themecpl.dll  10.0.18362.1  Personalization CPL
themeui.dll  10.0.18362.1  Windows Theme API
threadpoolwinrt.dll  10.0.18362.1  Windows WinRT Threadpool
thumbcache.dll  10.0.18362.1  Microsoft Thumbnail Cache
tiledatarepository.dll  10.0.18362.1  Tile Data Repository
timedatemuicallback.dll  10.0.18362.1  Time Date Control UI Language Change plugin
tlscsp.dll  10.0.18362.1  Microsoft® Remote Desktop Services Cryptographic Utility
tokenbinding.dll  10.0.18362.1  Token Binding Protocol
tokenbroker.dll  10.0.18362.267  Token Broker
tokenbrokerui.dll  10.0.18362.1  Token Broker UI
tpmcertresources.dll  10.0.18362.693  TpmCertResources
tpmcompc.dll  10.0.18362.1  Computer Chooser Dialog
tpmcoreprovisioning.dll  10.0.18362.693  TPM Core Provisioning Library
tquery.dll  7.0.18362.719  Microsoft Tripoli Query
traffic.dll  10.0.18362.1  Microsoft Traffic Control 1.0 DLL
trustedsignalcredprov.dll  10.0.18362.1  TrustedSignal Credential Provider
tsbyuv.dll  10.0.18362.1  Toshiba Video Codec
tsgqec.dll  10.0.18362.657  RD Gateway QEC
tsmf.dll  10.0.18362.592  RDP MF Plugin
tspkg.dll  10.0.18362.1  Web Service Security Package
tsworkspace.dll  10.0.18362.1  RemoteApp and Desktop Connection Component
ttdloader.dll  10.0.18362.1  Time Travel Debugger User Mode Runtime Loader
ttdloaderwow64.dll  10.0.18362.1  Time Travel Debugger loader Wow64 User Mode Runtime
ttdplm.dll  10.0.18362.1  Time Travel Debugger PLM APIs
ttdrecord.dll  10.0.18362.1  Time Travel Debugger Recording Manager
ttdrecordcpu.dll  10.0.18362.387  Nirvana Time Travel Debugging CPU Recorder Runtime
ttdwriter.dll  10.0.18362.387  Time Travel Debugging Trace Writer
ttlsauth.dll  10.0.18362.1  EAP TTLS run-time dll
ttlscfg.dll  10.0.18362.1  EAP TTLS configuration dll
ttlsext.dll  10.0.18362.1  Windows Extension library for EAP TTLS
tvratings.dll  10.0.18362.1  Module for managing TV ratings
twext.dll  10.0.18362.329  Previous Versions property page
twinapi.appcore.dll  10.0.18362.693  twinapi.appcore
twinapi.dll  10.0.18362.628  twinapi
twinui.appcore.dll  10.0.18362.1  TWINUI.APPCORE
twinui.dll  10.0.18362.693  TWINUI
txflog.dll  2001.12.10941.16384  COM+
txfw32.dll  10.0.18362.1  TxF Win32 DLL
typelib.dll  3.10.0.103  Windows Win16 Application Launcher
tzautoupdate.dll  10.0.18362.267  Auto Time Zone Updater
tzres.dll  10.0.18362.449  Time Zones resource DLL
ucmhc.dll  10.0.18362.1  UCM Helper Class
ucrtbase.dll  10.0.18362.387  Microsoft® C Runtime Library
ucrtbase_clr0400.dll  14.10.25028.0  Microsoft® C Runtime Library
udhisapi.dll  10.0.18362.719  UPnP Device Host ISAPI Extension
uexfat.dll  10.0.18362.1  eXfat Utility DLL
ufat.dll  10.0.18362.1  FAT Utility DLL
uiamanager.dll  10.0.18362.1  UiaManager
uianimation.dll  10.0.18362.1  Windows Animation Manager
uiautomationcore.dll  7.2.18362.693  Microsoft UI Automation Core
uicom.dll  10.0.18362.1  Add/Remove Modems
uimanagerbrokerps.dll  10.0.18362.1  Microsoft UIManager Broker Proxy Stub
uireng.dll  10.0.18362.1  UI Recording Engine Library
uiribbon.dll  10.0.18362.1  Windows Ribbon Framework
ulib.dll  10.0.18362.207  File Utilities Support DLL
umdmxfrm.dll  10.0.18362.1  Unimodem Tranform Module
umpdc.dll    
unenrollhook.dll  10.0.18362.1  unenrollhook DLL
unimdmat.dll  10.0.18362.1  Unimodem Service Provider AT Mini Driver
uniplat.dll  10.0.18362.1  Unimodem AT Mini Driver Platform Driver for Windows NT
unistore.dll  10.0.18362.356  Unified Store
untfs.dll  10.0.18362.1  NTFS Utility DLL
updatepolicy.dll  10.0.18362.1  Update Policy Reader
upnp.dll  10.0.18362.1  UPnP Control Point API
upnphost.dll  10.0.18362.719  UPnP Device Host
urefs.dll  10.0.18362.693  NTFS Utility DLL
urefsv1.dll  10.0.18362.1  NTFS Utility DLL
ureg.dll  10.0.18362.1  Registry Utility DLL
url.dll  11.0.18362.1  Internet Shortcut Shell Extension DLL
urlmon.dll  11.0.18362.693  OLE32 Extensions for Win32
usbceip.dll  10.0.18362.1  USBCEIP Task
usbperf.dll  10.0.18362.1  USB Performance Objects DLL
usbui.dll  10.0.18362.1  USB UI Dll
user32.dll  10.0.18362.719  Multi-User Windows USER API Client DLL
useraccountcontrolsettings.dll  10.0.18362.1  UserAccountControlSettings
useractivitybroker.dll  10.0.18362.1  useractivitybroker
usercpl.dll  10.0.18362.1  User control panel
userdataaccessres.dll  10.0.18362.1  Resource DLL for the UserDataAccess stack
userdataaccountapis.dll  10.0.18362.1  DLL for UserDataAccountsRT
userdatalanguageutil.dll  10.0.18362.1  Language-related helper functions for user data
userdataplatformhelperutil.dll  10.0.18362.1  Platform Utilities for data access
userdatatimeutil.dll  10.0.18362.1  Time-related helper functions for user data
userdatatypehelperutil.dll  10.0.18362.1  Type Utilities for data access
userdeviceregistration.dll  10.0.18362.1  AAD User Device Registration WinRT
userdeviceregistration.ngc.dll  10.0.18362.1  AD/AAD User Device Registration WinRT
userenv.dll  10.0.18362.387  Userenv
userinitext.dll  10.0.18362.1  UserInit Utility Extension DLL
userlanguageprofilecallback.dll  10.0.18362.657  MUI Callback for User Language profile changed
usermgrcli.dll  10.0.18362.1  UserMgr API DLL
usermgrproxy.dll  10.0.18362.1  UserMgrProxy
usoapi.dll  10.0.18362.628  Update Session Orchestrator API
usp10.dll  10.0.18362.476  Uniscribe Unicode script processor
ustprov.dll  10.0.18362.1  User State WMI Provider
utildll.dll  10.0.18362.1  WinStation utility support DLL
uudf.dll  10.0.18362.1  UDF Utility DLL
uxinit.dll  10.0.18362.1  Windows User Experience Session Initialization Dll
uxlib.dll  10.0.18362.1  Setup Wizard Framework
uxlibres.dll  10.0.18362.1  UXLib Resources
uxtheme.dll  10.0.18362.449  Microsoft UxTheme Library
van.dll  10.0.18362.1  View Available Networks
vault.dll  10.0.18362.1  Windows vault Control Panel
vaultcli.dll  10.0.18362.1  Credential Vault Client Library
vbajet32.dll  6.0.1.9431  Visual Basic for Applications Development Environment - Expression Service Loader
vbscript.dll  5.812.10240.16384  Microsoft ® VBScript
vcamp110.dll  11.0.51106.1  Microsoft® C++ AMP Runtime
vcardparser.dll  10.0.18362.1  Supports the parsing of VCard and ICal formatted data
vccorlib110.dll  11.0.51106.1  Microsoft ® VC WinRT core library
vccorlib120.dll  12.0.21005.1  Microsoft ® VC WinRT core library
vccorlib140.dll  14.16.27033.0  Microsoft ® VC WinRT core library
vcomp100.dll  10.0.40219.325  Microsoft® C/C++ OpenMP Runtime
vcomp110.dll  11.0.51106.1  Microsoft® C/C++ OpenMP Runtime
vcomp140.dll  14.0.23026.0  Microsoft® C/C++ OpenMP Runtime
vcruntime140.dll  14.16.27033.0  Microsoft® C Runtime Library
vcruntime140_clr0400.dll  14.10.25028.0  Microsoft® C Runtime Library
vdmdbg.dll  10.0.18362.1  VDMDBG.DLL
vds_ps.dll  10.0.18362.1  Microsoft® Virtual Disk Service proxy/stub
verifier.dll  10.0.18362.1  Standard application verifier provider dll
version.dll  10.0.18362.1  Version Checking and File Installation Libraries
vfwwdm32.dll  10.0.18362.1  VfW MM Driver for WDM Video Capture Devices
vidreszr.dll  10.0.18362.1  Windows Media Resizer
virtdisk.dll  10.0.18362.1  Virtual Disk API DLL
voiceactivationmanager.dll  10.0.18362.1  Windows Voice Activation Manager
voiprt.dll  10.0.18362.1  Voip Runtime
vpnikeapi.dll  10.0.18362.1  VPN IKE API's
vscmgrps.dll  10.0.18362.1  Microsoft Virtual Smart Card Manager Proxy/Stub
vss_ps.dll  10.0.18362.1  Microsoft® Volume Shadow Copy Service proxy/stub
vssapi.dll  10.0.18362.1  Microsoft® Volume Shadow Copy Requestor/Writer Services API DLL
vsstrace.dll  10.0.18362.1  Microsoft® Volume Shadow Copy Service Tracing Library
vulkan-1.dll  1.1.121.2  Vulkan Loader
vulkan-1-999-0-0-0.dll  1.1.121.2  Vulkan Loader
w32topl.dll  10.0.18362.1  Windows NT Topology Maintenance Tool
wab32.dll  10.0.18362.1  Microsoft (R) Contacts DLL
wab32res.dll  10.0.18362.1  Microsoft (R) Contacts DLL
wabsyncprovider.dll  10.0.18362.1  Microsoft Windows Contacts Sync Provider
walletbackgroundserviceproxy.dll  10.0.18362.1  Wallet Background Proxy
walletproxy.dll  10.0.18362.1  Wallet proxy
wavemsp.dll  10.0.18362.1  Microsoft Wave MSP
wbemcomn.dll  10.0.18362.1  WMI
wcmapi.dll  10.0.18362.1  Windows Connection Manager Client API
wcnapi.dll  10.0.18362.1  Windows Connect Now - API Helper DLL
wcnwiz.dll  10.0.18362.1  Windows Connect Now Wizards
wdc.dll  10.0.18362.1  Performance Monitor
wdi.dll  10.0.18362.1  Windows Diagnostic Infrastructure
wdigest.dll  10.0.18362.1  Microsoft Digest Access
wdscore.dll  10.0.18362.1  Panther Engine Module
webauthn.dll  10.0.18362.267  Web Authentication
webcamui.dll  10.0.18362.1  Microsoft® Windows® Operating System
webcheck.dll  11.0.18362.1  Web Site Monitor
webclnt.dll  10.0.18362.1  Web DAV Service DLL
webio.dll  10.0.18362.628  Web Transfer Protocols API
webplatstorageserver.dll  10.0.18362.693  "webplatstorageserver.DYNLINK"
webservices.dll  10.0.18362.1  Windows Web Services Runtime
websocket.dll  10.0.18362.657  Web Socket API
wecapi.dll  10.0.18362.1  Event Collector Configuration API
wer.dll  10.0.18362.719  Windows Error Reporting DLL
werdiagcontroller.dll  10.0.18362.719  WER Diagnostic Controller
weretw.dll  10.0.18362.719  WERETW.DLL
werui.dll  10.0.18362.657  Windows Error Reporting UI DLL
wevtapi.dll  10.0.18362.1  Eventing Consumption and Configuration API
wevtfwd.dll  10.0.18362.1  WS-Management Event Forwarding Plug-in
wfapigp.dll  10.0.18362.449  Windows Defender Firewall GPO Helper dll
wfdprov.dll  10.0.18362.1  Private WPS provisioning API DLL for Wi-Fi Direct
wfhc.dll  10.0.18362.1  Windows Defender Firewall Helper Class
whhelper.dll  10.0.18362.1  Net shell helper DLL for winHttp
wiaaut.dll  10.0.18362.592  WIA Automation Layer
wiadefui.dll  10.0.18362.1  WIA Scanner Default UI
wiadss.dll  10.0.18362.592  WIA TWAIN compatibility layer
wiascanprofiles.dll  10.0.18362.1  Microsoft Windows ScanProfiles
wiashext.dll  10.0.18362.1  Imaging Devices Shell Folder UI
wiatrace.dll  10.0.18362.592  WIA Tracing
wifidisplay.dll  10.0.18362.267  Wi-Fi Display DLL
wimgapi.dll  10.0.18362.657  Windows Imaging Library
win32u.dll  10.0.18362.719  Win32u
winbio.dll  10.0.18362.1  Windows Biometrics Client API
winbioext.dll  10.0.18362.1  Windows Biometrics Client Extension API
winbrand.dll  10.0.18362.1  Windows Branding Resources
wincorlib.dll  10.0.18362.693  Microsoft Windows ® WinRT core library
wincredprovider.dll  10.0.18362.1  wincredprovider DLL
wincredui.dll  10.0.18362.449  Credential Manager User Internal Interface
windows.accountscontrol.dll  10.0.18362.1  Windows Accounts Control
windows.ai.machinelearning.dll  10.0.18362.449  Windows Machine Learning Runtime
windows.ai.machinelearning.preview.dll  10.0.18362.1  WinRT Windows Machine Learning Preview DLL
windows.applicationmodel.background.systemeventsbroker.dll  10.0.18362.1  Windows Background System Events Broker API Server
windows.applicationmodel.background.timebroker.dll  10.0.18362.1  Windows Background Time Broker API Server
windows.applicationmodel.core.dll  10.0.18362.1  Windows Application Model Core API
windows.applicationmodel.datatransfer.dll  10.0.18362.1  Windows.ApplicationModel.DataTransfer
windows.applicationmodel.dll  10.0.18362.1  Windows ApplicationModel API Server
windows.applicationmodel.lockscreen.dll  10.0.18362.1  Windows Lock Application Framework DLL
windows.applicationmodel.store.dll  10.0.18362.207  Microsoft Store Runtime DLL
windows.applicationmodel.store.preview.dosettings.dll  10.0.18362.1  Delivery Optimization Settings
windows.applicationmodel.store.testingframework.dll  10.0.18362.207  Microsoft Store Testing Framework Runtime DLL
windows.applicationmodel.wallet.dll  10.0.18362.1  Windows ApplicationModel Wallet Runtime DLL
windows.cortana.proxystub.dll  10.0.18362.1  Windows.Cortana.ProxyStub
windows.data.pdf.dll  10.0.18362.535  PDF WinRT APIs
windows.devices.alljoyn.dll  10.0.18362.1  Windows.Devices.AllJoyn DLL
windows.devices.background.dll  10.0.18362.1  Windows.Devices.Background
windows.devices.background.ps.dll  10.0.18362.1  Windows.Devices.Background Interface Proxy
windows.devices.bluetooth.dll  10.0.18362.267  Windows.Devices.Bluetooth DLL
windows.devices.custom.dll  10.0.18362.1  Windows.Devices.Custom
windows.devices.custom.ps.dll  10.0.18362.1  Windows.Devices.Custom Interface Proxy
windows.devices.enumeration.dll  10.0.18362.535  Windows.Devices.Enumeration
windows.devices.haptics.dll  10.0.18362.1  Windows Runtime Haptics DLL
windows.devices.humaninterfacedevice.dll  10.0.18362.1  Windows.Devices.HumanInterfaceDevice DLL
windows.devices.lights.dll  10.0.18362.329  Windows Runtime Lights DLL
windows.devices.lowlevel.dll  10.0.18362.1  Windows.Devices.LowLevel DLL
windows.devices.midi.dll  10.0.18362.1  Windows Runtime MIDI Device server DLL
windows.devices.perception.dll  10.0.18362.1  Windows Devices Perception API
windows.devices.picker.dll  10.0.18362.1  Device Picker
windows.devices.pointofservice.dll  10.0.18362.1  Windows Runtime PointOfService DLL
windows.devices.portable.dll  10.0.18362.1  Windows Runtime Portable Devices DLL
windows.devices.printers.dll  10.0.18362.1  Windows Runtime Devices Printers DLL
windows.devices.printers.extensions.dll  10.0.18362.1  Windows.Devices.Printers.Extensions
windows.devices.radios.dll  10.0.18362.1  Windows.Devices.Radios DLL
windows.devices.scanners.dll  10.0.18362.1  Windows Runtime Devices Scanners DLL
windows.devices.sensors.dll  10.0.18362.1  Windows Runtime Sensors DLL
windows.devices.serialcommunication.dll  10.0.18362.1  Windows.Devices.SerialCommunication DLL
windows.devices.smartcards.dll  10.0.18362.1  Windows Runtime Smart Card API DLL
windows.devices.smartcards.phone.dll  10.0.18362.1  Windows Runtime Phone Smart Card Api DLL
windows.devices.usb.dll  10.0.18362.1  Windows Runtime Usb DLL
windows.devices.wifi.dll  10.0.18362.1  Windows.Devices.WiFi DLL
windows.devices.wifidirect.dll  10.0.18362.1  Windows.Devices.WiFiDirect DLL
windows.energy.dll  10.0.18362.1  Windows Energy Runtime DLL
windows.gaming.input.dll  10.0.18362.329  Windows Gaming Input API
windows.gaming.preview.dll  10.0.18362.1  Windows Gaming API Preview
windows.gaming.ui.gamebar.dll  10.0.18362.1  Windows Gaming UI API GameBar
windows.gaming.xboxlive.storage.dll  10.0.18362.1  Xbox Connected Storage WinRT implementation
windows.globalization.dll  10.0.18362.86  Windows Globalization
windows.globalization.fontgroups.dll  10.0.18362.1  Fonts Mapping API
windows.globalization.phonenumberformatting.dll  10.0.18362.1  Windows Libphonenumber OSS component
windows.graphics.display.brightnessoverride.dll  10.0.18362.267  Windows Runtime Brightness Override DLL
windows.graphics.display.displayenhancementoverride.dll  10.0.18362.1  Windows Runtime Display Enhancement Override DLL
windows.graphics.dll  10.0.18362.1  WinRT Windows Graphics DLL
windows.graphics.printing.3d.dll  10.0.18362.1  Microsoft Windows Printing Support
windows.graphics.printing.dll  10.0.18362.1  Microsoft Windows Printing Support
windows.graphics.printing.workflow.dll  10.0.18362.1  Microsoft Windows Print Workflow
windows.graphics.printing.workflow.native.dll  10.0.18362.1  Microsoft Windows Print Workflow Native
windows.internal.bluetooth.dll  10.0.18362.1  Windows.Internal.Bluetooth DLL
windows.internal.devices.sensors.dll  10.0.18362.1  Windows Runtime Sensors (Internal) DLL
windows.internal.graphics.display.displaycolormanagement.dll  10.0.18362.1  Windows Runtime Display Color Management DLL
windows.internal.graphics.display.displayenhancementmanagement.dll  10.0.18362.1  Windows Runtime Display Enhancement Management DLL
windows.internal.management.dll  10.0.18362.719  Windows Managent Service DLL
windows.internal.securitymitigationsbroker.dll  10.0.18362.1  Windows Security Mitigations Broker DLL
windows.internal.shellcommon.accountscontrolexperience.dll  10.0.18362.1  Shell Position default shell contract handler
windows.internal.shellcommon.printexperience.dll  10.0.18362.1  Print Experience default shell contract handler
windows.internal.shellcommon.tokenbrokermodal.dll  10.0.18362.1  Token broker default shell contract handler
windows.internal.ui.logon.proxystub.dll  10.0.18362.1  Logon User Experience Proxy Stub
windows.management.workplace.dll  10.0.18362.1  Windows Runtime MdmPolicy DLL
windows.management.workplace.workplacesettings.dll  10.0.18362.1  Windows Runtime WorkplaceSettings DLL
windows.media.audio.dll  10.0.18362.267  Windows Runtime Window Media Audio server DLL
windows.media.backgroundmediaplayback.dll  10.0.18362.1  Windows Media BackgroundMediaPlayback DLL
windows.media.devices.dll  10.0.18362.1  Windows Runtime media device server DLL
windows.media.dll  10.0.18362.145  Windows Media Runtime DLL
windows.media.editing.dll  10.0.18362.1  Windows Media Editing DLL
windows.media.faceanalysis.dll  10.0.18362.1  Microsoft (R) Face Detection DLL
windows.media.import.dll  10.0.18362.1  Windows Photo Import API (WinRT/COM)
windows.media.mediacontrol.dll  10.0.18362.628  Windows Runtime MediaControl server DLL
windows.media.mixedrealitycapture.dll  10.0.18362.1  "Windows.Media.MixedRealityCapture.DYNLINK"
windows.media.ocr.dll  10.0.18362.1  Windows OCR Runtime DLL
windows.media.playback.backgroundmediaplayer.dll  10.0.18362.1  Windows Media Playback BackgroundMediaPlayer DLL
windows.media.playback.mediaplayer.dll  10.0.18362.1  Windows Media Playback MediaPlayer DLL
windows.media.playback.proxystub.dll  10.0.18362.1  BackgroundMediaPlayer Proxy Stub DLL
windows.media.protection.playready.dll  10.0.18362.720  Microsoft PlayReady Client Framework Dll
windows.media.speech.dll  10.0.18362.693  Windows Speech Runtime DLL
windows.media.streaming.dll  10.0.18362.592  DLNA DLL
windows.media.streaming.ps.dll  10.0.18362.1  DLNA Proxy-Stub DLL
windows.mirage.dll  10.0.18362.693  Windows Perception API
windows.mirage.internal.dll  10.0.18362.719  "Windows.Mirage.Internal.DYNLINK"
windows.networking.backgroundtransfer.backgroundmanagerpolicy.dll  10.0.18362.1  Background Transfer Background Manager Policy DLL
windows.networking.backgroundtransfer.dll  10.0.18362.1  Windows.Networking.BackgroundTransfer DLL
windows.networking.connectivity.dll  10.0.18362.1  Windows Networking Connectivity Runtime DLL
windows.networking.dll  10.0.18362.1  Windows.Networking DLL
windows.networking.hostname.dll  10.0.18362.1  Windows.Networking.HostName DLL
windows.networking.networkoperators.esim.dll  10.0.18362.1  ESIM API
windows.networking.networkoperators.hotspotauthentication.dll  10.0.18362.1  Microsoft Windows Hotspot Authentication API
windows.networking.proximity.dll  10.0.18362.1  Windows Runtime Proximity API DLL
windows.networking.servicediscovery.dnssd.dll  10.0.18362.1  Windows.Networking.ServiceDiscovery.Dnssd DLL
windows.networking.sockets.pushenabledapplication.dll  10.0.18362.1  Windows.Networking.Sockets.PushEnabledApplication DLL
windows.networking.vpn.dll  10.0.18362.267  Windows.Networking.Vpn DLL
windows.networking.xboxlive.proxystub.dll  10.0.18362.1  Windows.Networking.XboxLive Proxy Stub Dll
windows.payments.dll  10.0.18362.1  Payment Windows Runtime DLL
windows.perception.stub.dll  10.0.18362.1  Windows Perception Api Stub
windows.security.authentication.identity.provider.dll  10.0.18362.1  Secondary Factor Authentication Windows Runtime DLL
windows.security.authentication.onlineid.dll  10.0.18362.693  Windows Runtime OnlineId Authentication DLL
windows.security.authentication.web.core.dll  10.0.18362.267  Token Broker WinRT API
windows.security.credentials.ui.credentialpicker.dll  10.0.18362.1  WinRT Credential Picker Server
windows.security.credentials.ui.userconsentverifier.dll  10.0.18362.1  Windows User Consent Verifier API
windows.security.integrity.dll  10.0.18362.1  Windows Lockdown API Server
windows.services.targetedcontent.dll  10.0.18362.267  Windows.Services.TargetedContent
windows.shell.search.urihandler.dll  10.0.18362.1  Windows Search URI Handler
windows.shell.servicehostbuilder.dll  10.0.18362.1  Windows.Shell.ServiceHostBuilder
windows.staterepository.dll  10.0.18362.1  Windows StateRepository API Server
windows.staterepositorybroker.dll  10.0.18362.1  Windows StateRepository API Broker
windows.staterepositoryclient.dll  10.0.18362.1  Windows StateRepository Client API
windows.staterepositorycore.dll  10.0.18362.1  Windows StateRepository API Core
windows.staterepositoryps.dll  10.0.18362.1  Windows StateRepository Proxy/Stub Server
windows.staterepositoryupgrade.dll  10.0.18362.1  Windows StateRepository Upgrade
windows.storage.applicationdata.dll  10.0.18362.356  Windows Application Data API Server
windows.storage.compression.dll  5.0.1.1  WinRT Compression
windows.storage.dll  10.0.18362.719  Microsoft WinRT Storage API
windows.storage.onecore.dll  10.0.18362.1  Microsoft Windows.Storage OneCore API
windows.storage.search.dll  10.0.18362.387  Windows.Storage.Search
windows.system.diagnostics.dll  10.0.18362.295  Windows System Diagnostics DLL
windows.system.diagnostics.telemetry.platformtelemetryclient.dll  10.0.18362.1  Platform Telemetry Client DLL
windows.system.diagnostics.tracereporting.platformdiagnosticactions.dll  10.0.18362.1  Platform Diagnostic Actions DLL
windows.system.launcher.dll  10.0.18362.628  Windows.System.Launcher
windows.system.profile.hardwareid.dll  10.0.18362.1  Windows System Profile HardwareId DLL
windows.system.profile.platformdiagnosticsandusagedatasettings.dll  10.0.18362.1  Platform Diagnostics and Usage Settings DLL
windows.system.profile.retailinfo.dll  10.0.18362.1  Windows.System.Profile.RetailInfo Runtime DLL
windows.system.profile.systemid.dll  10.0.18362.1  Windows System Profile SystemId DLL
windows.system.profile.systemmanufacturers.dll  10.0.18362.1  Windows.System.Profile.SystemManufacturers
windows.system.remotedesktop.dll  10.0.18362.1  Windows System RemoteDesktop Runtime DLL
windows.system.systemmanagement.dll  10.0.18362.1  Windows Runtime SystemManagement DLL
windows.system.userdeviceassociation.dll  10.0.18362.1  Windows System User Device Association API
windows.system.userprofile.diagnosticssettings.dll  10.0.18362.1  Diagnostics Settings DLL
windows.ui.accessibility.dll  10.0.18362.1  Windows.UI.Accessibility System DLL
windows.ui.core.textinput.dll  10.0.18362.207  Windows.UI.Core.TextInput dll
windows.ui.cred.dll  10.0.18362.1  Credential Prompt User Experience
windows.ui.creddialogcontroller.dll  10.0.18362.1  Credential UX Dialog Controller
windows.ui.dll  10.0.18362.387  Windows Runtime UI Foundation DLL
windows.ui.fileexplorer.dll  10.0.18362.657  Windows.UI.FileExplorer
windows.ui.immersive.dll  10.0.18362.719  WINDOWS.UI.IMMERSIVE
windows.ui.input.inking.analysis.dll  1.0.1901.9001  
windows.ui.input.inking.dll  10.0.18362.329  WinRT Windows Inking DLL
windows.ui.search.dll  10.0.18362.1  Windows.UI.Search
windows.ui.xaml.controls.dll  10.0.18362.1  Windows.UI.Xaml.Controls
windows.ui.xaml.dll  10.0.18362.449  Windows.UI.Xaml dll
windows.ui.xaml.inkcontrols.dll  10.0.18362.1  Windows UI XAML InkControls API
windows.ui.xaml.maps.dll  10.0.18362.1  Windows UI XAML Maps API
windows.ui.xaml.phone.dll  10.0.18362.1  Windows UI XAML Phone API
windows.ui.xamlhost.dll  10.0.18362.329  XAML Host
windows.web.diagnostics.dll  10.0.18362.1  Windows.Web.Diagnostics
windows.web.dll  10.0.18362.1  Web Client DLL
windows.web.http.dll  10.0.18362.1  Windows.Web.Http DLL
windowscodecs.dll  10.0.18362.719  Microsoft Windows Codecs Library
windowscodecsext.dll  10.0.18362.1  Microsoft Windows Codecs Extended Library
windowscodecsraw.dll  10.0.18362.1  Microsoft Camera Codec Pack
windowsdefaultheatprocessor.dll    
windowslivelogin.dll  10.0.18362.1  Microsoft® Account Login Helper
windowsperformancerecordercontrol.dll  10.0.18362.719  Microsoft Windows Performance Recorder Control Library
winfax.dll  10.0.18362.1  Microsoft Fax API Support DLL
winhttp.dll  10.0.18362.693  Windows HTTP Services
winhttpcom.dll  10.0.18362.1  Windows COM interface for WinHttp
wininet.dll  11.0.18362.693  Internet Extensions for Win32
wininetlui.dll  10.0.18362.1  Provides legacy UI for wininet
wininitext.dll  10.0.18362.1  WinInit Utility Extension DLL
winipcfile.dll  10.0.18362.1  Microsoft Active Directory Rights Management Services File API
winipcsecproc.dll  10.0.18362.1  Microsoft Active Directory Rights Management Services Desktop Security Processor
winipsec.dll  10.0.18362.1  Windows IPsec SPD Client DLL
winlangdb.dll  10.0.18362.657  Windows Bcp47 Language Database
winml.dll  10.0.18362.1  Windows Machine Learning Runtime
winmm.dll  10.0.18362.1  MCI API DLL
winmmbase.dll  10.0.18362.1  Base Multimedia Extension API DLL
winmsipc.dll  10.0.18362.1  Microsoft Active Directory Rights Management Services Client
winmsoirmprotector.dll  10.0.18362.1  Windows Office file format IRM Protector
winnlsres.dll  10.0.18362.267  NLSBuild resource DLL
winnsi.dll  10.0.18362.449  Network Store Information RPC interface
winopcirmprotector.dll  10.0.18362.1  Windows Office file format IRM Protector
winrnr.dll  10.0.18362.1  LDAP RnR Provider DLL
winrscmd.dll  10.0.18362.1  remtsvc
winrsmgr.dll  10.0.18362.1  WSMan Shell API
winrssrv.dll  10.0.18362.1  winrssrv
winrttracing.dll  10.0.18362.1  Windows Diagnostics Tracing
winsatapi.dll  10.0.18362.1  Windows System Assessment Tool API
winscard.dll  10.0.18362.1  Microsoft Smart Card API
winshfhc.dll  10.0.18362.1  File Risk Estimation
winsku.dll  10.0.18362.1  Windows SKU Library
winsockhc.dll  10.0.18362.1  Winsock Network Diagnostic Helper Class
winsqlite3.dll  3.25.3.0  SQLite is a software library that implements a self-contained, serverless, zero-configuration, transactional SQL database engine.
winsrpc.dll  10.0.18362.1  WINS RPC LIBRARY
winsta.dll  10.0.18362.53  Winstation Library
winsync.dll  2007.94.18362.1  Synchronization Framework
winsyncmetastore.dll  2007.94.18362.1  Windows Synchronization Metadata Store
winsyncproviders.dll  2007.94.18362.1  Windows Synchronization Provider Framework
wintrust.dll  10.0.18362.387  Microsoft Trust Verification APIs
wintypes.dll  10.0.18362.693  Windows Base Types DLL
winusb.dll  10.0.18362.1  Windows USB Driver User Library
wisp.dll  10.0.18362.1  Microsoft Pen and Touch Input Component
wkscli.dll  10.0.18362.1  Workstation Service Client DLL
wkspbrokerax.dll  10.0.18362.1  Microsoft Workspace Broker ActiveX Control
wksprtps.dll  10.0.18362.1  WorkspaceRuntime ProxyStub DLL
wlanapi.dll  10.0.18362.239  Windows WLAN AutoConfig Client Side API DLL
wlancfg.dll  10.0.18362.1  Wlan Netsh Helper DLL
wlanconn.dll  10.0.18362.1  Dot11 Connection Flows
wlandlg.dll  10.0.18362.1  Wireless Lan Dialog Wizards
wlangpui.dll  10.0.18362.1  Wireless Network Policy Management Snap-in
wlanhlp.dll  10.0.18362.1  Windows Wireless LAN 802.11 Client Side Helper API
wlanmm.dll  10.0.18362.1  Dot11 Media and AdHoc Managers
wlanpref.dll  10.0.18362.1  Wireless Preferred Networks
wlanui.dll  10.0.18362.1  Wireless Profile UI
wlanutil.dll  10.0.18362.1  Windows Wireless LAN 802.11 Utility DLL
wldap32.dll  10.0.18362.449  Win32 LDAP API DLL
wldp.dll  10.0.18362.295  Windows Lockdown Policy
wlgpclnt.dll  10.0.18362.1  802.11 Group Policy Client
wlidcli.dll  10.0.18362.1  Microsoft® Account Dynamic Link Library
wlidcredprov.dll  10.0.18362.1  Microsoft® Account Credential Provider
wlidfdp.dll  10.0.18362.1  Microsoft® Account Function Discovery Provider
wlidnsp.dll  10.0.18362.1  Microsoft® Account Namespace Provider
wlidprov.dll  10.0.18362.693  Microsoft® Account Provider
wlidres.dll  10.0.18362.1  Microsoft® Windows Live ID Resource
wmadmod.dll  10.0.18362.145  Windows Media Audio Decoder
wmadmoe.dll  10.0.18362.145  Windows Media Audio 10 Encoder/Transcoder
wmasf.dll  12.0.18362.1  Windows Media ASF DLL
wmcodecdspps.dll  10.0.18362.1  Windows Media CodecDSP Proxy Stub Dll
wmdmlog.dll  12.0.18362.1  Windows Media Device Manager Logger
wmdmps.dll  12.0.18362.1  Windows Media Device Manager Proxy Stub
wmdrmsdk.dll  10.0.18362.1  WMDRM backwards compatibility stub
wmerror.dll  12.0.18362.1  Windows Media Error Definitions (English)
wmi.dll  10.0.18362.1  WMI DC and DP functionality
wmiclnt.dll  10.0.18362.1  WMI Client API
wmidcom.dll  10.0.18362.1  WMI
wmidx.dll  12.0.18362.1  Windows Media Indexer DLL
wmiprop.dll  10.0.18362.1  WDM Provider Dynamic Property Page CoInstaller
wmitomi.dll  10.0.18362.1  CIM Provider Adapter
wmnetmgr.dll  12.0.18362.1  Windows Media Network Plugin Manager DLL
wmp.dll  12.0.18362.719  Windows Media Player
wmpdui.dll  12.0.18362.1  Windows Media Player UI Engine
wmpdxm.dll  12.0.18362.1  Windows Media Player Extension
wmpeffects.dll  12.0.18362.1  Windows Media Player Effects
wmphoto.dll  10.0.18362.1  Windows Media Photo Codec
wmploc.dll  12.0.18362.449  Windows Media Player Resources
wmpps.dll  12.0.18362.1  Windows Media Player Proxy Stub Dll
wmpshell.dll  12.0.18362.1  Windows Media Player Launcher
wmsgapi.dll  10.0.18362.1  WinLogon IPC Client
wmspdmod.dll  10.0.18362.1  Windows Media Audio Voice Decoder
wmspdmoe.dll  10.0.18362.145  Windows Media Audio Voice Encoder
wmvcore.dll  12.0.18362.418  Windows Media Playback/Authoring DLL
wmvdecod.dll  10.0.18362.1  Windows Media Video Decoder
wmvdspa.dll  10.0.18362.1  Windows Media Video DSP Components - Advanced
wmvencod.dll  10.0.18362.1  Windows Media Video 9 Encoder
wmvsdecd.dll  10.0.18362.1  Windows Media Screen Decoder
wmvsencd.dll  10.0.18362.1  Windows Media Screen Encoder
wmvxencd.dll  10.0.18362.1  Windows Media Video Encoder
wofutil.dll  10.0.18362.1  Windows Overlay File System Filter user mode API
wordbreakers.dll  10.0.18362.207  "WordBreakers.DYNLINK"
workfoldersres.dll  6.2.9200.16384  Work Folders Resources
wow32.dll  10.0.18362.1  Wow32
wpbcreds.dll  10.0.18362.1  WP 8.1 upgrade support utility
wpc.dll  10.0.18362.449  WPC Settings Library
wpcwebfilter.dll  10.0.18362.449  WpcWebFilter.dll
wpdshext.dll  10.0.18362.1  Portable Devices Shell Extension
wpdshserviceobj.dll  10.0.18362.1  Windows Portable Device Shell Service Object
wpdsp.dll  10.0.18362.1  WMDM Service Provider for Windows Portable Devices
wpnapps.dll  10.0.18362.207  Windows Push Notification Apps
wpnclient.dll  10.0.18362.1  Windows Push Notifications Client
wpportinglibrary.dll  10.0.18362.1  <d> DLL
ws2_32.dll  10.0.18362.387  Windows Socket 2.0 32-Bit DLL
ws2help.dll  10.0.18362.1  Windows Socket 2.0 Helper for Windows NT
wscapi.dll  10.0.18362.449  Windows Security Center API
wscinterop.dll  10.0.18362.449  Windows Health Center WSC Interop
wscisvif.dll  10.0.18362.1  Windows Security Center ISV API
wsclient.dll  10.0.18362.1  Microsoft Store Licensing Client
wscproxystub.dll  10.0.18362.1  Windows Security Center ISV Proxy Stub
wsdapi.dll  10.0.18362.329  Web Services for Devices API DLL
wsdchngr.dll  10.0.18362.1  WSD Challenge Component
wsecedit.dll  10.0.18362.719  Security Configuration UI Module
wshbth.dll  10.0.18362.1  Windows Sockets Helper DLL
wshcon.dll  5.812.10240.16384  Microsoft ® Windows Script Controller
wshelper.dll  10.0.18362.1  Winsock Net shell helper DLL for winsock
wshext.dll  5.812.10240.16384  Microsoft ® Shell Extension for Windows Script Host
wshhyperv.dll  10.0.18362.1  Hyper-V Winsock2 Helper DLL
wship6.dll  10.0.18362.1  Winsock2 Helper DLL (TL/IPv6)
wshqos.dll  10.0.18362.1  QoS Winsock2 Helper DLL
wshrm.dll  10.0.18362.1  Windows Sockets Helper DLL for PGM
wshtcpip.dll  10.0.18362.1  Winsock2 Helper DLL (TL/IPv4)
wshunix.dll  10.0.18362.1  AF_UNIX Winsock2 Helper DLL
wsmagent.dll  10.0.18362.693  WinRM Agent
wsmanmigrationplugin.dll  10.0.18362.693  WinRM Migration Plugin
wsmauto.dll  10.0.18362.693  WSMAN Automation
wsmplpxy.dll  10.0.18362.693  wsmplpxy
wsmres.dll  10.0.18362.693  WSMan Resource DLL
wsmsvc.dll  10.0.18362.693  WSMan Service
wsmwmipl.dll  10.0.18362.693  WSMAN WMI Provider
wsnmp32.dll  10.0.18362.1  Microsoft WinSNMP v2.0 Manager API
wsock32.dll  10.0.18362.1  Windows Socket 32-Bit DLL
wsp_fs.dll  10.0.18362.387  Windows Storage Provider for FileShare management
wsp_health.dll  10.0.18362.387  Windows Storage Provider for Health Agent API
wsp_sr.dll  10.0.18362.1  Windows Storage Provider for Storage Replication management
wtsapi32.dll  10.0.18362.1  Windows Remote Desktop Session Host Server SDK APIs
wuapi.dll  10.0.18362.387  Windows Update Client API
wuceffects.dll  10.0.18362.1  Microsoft Composition Effects
wudriver.dll  10.0.18362.1  Windows Update WUDriver Stub
wups.dll  10.0.18362.387  Windows Update client proxy stub
wvc.dll  1.0.0.1  Windows Visual Components
wwaapi.dll  10.0.18362.1  Microsoft Web Application Host API library
wwaext.dll  10.0.18362.1  Microsoft Web Application Host Extension library
wwanapi.dll  10.0.18362.1  Mbnapi
wwapi.dll  10.0.18362.1  WWAN API
xaudio2_8.dll  10.0.18362.1  XAudio2 Game Audio API
xaudio2_9.dll  10.0.18362.267  XAudio2 Game Audio API
xblauthmanagerproxy.dll  10.0.18362.1  XblAuthManagerProxy
xblauthtokenbrokerext.dll  10.0.18362.1  Xbox Live Token Broker Extension
xblgamesaveproxy.dll  10.0.18362.1  Xbox Live Game Save Service Proxies and Stubs
xboxgipsynthetic.dll    
xinput1_4.dll  10.0.18362.329  Microsoft Common Controller API
xinput9_1_0.dll  10.0.18362.1  XNA Common Controller
xinputuap.dll  10.0.18362.329  Microsoft Common Controller API
xmlfilter.dll  2008.0.18362.1  XML Filter
xmllite.dll  10.0.18362.295  Microsoft XmlLite Library
xmlprovi.dll  10.0.18362.1  Network Provisioning Service Client API
xolehlp.dll  2001.12.10941.16384  Microsoft Distributed Transaction Coordinator Helper APIs DLL
xpsdocumenttargetprint.dll  10.0.18362.693  XPS DocumentTargetPrint DLL
xpsgdiconverter.dll  10.0.18362.1  XPS to GDI Converter
xpsprint.dll  10.0.18362.693  XPS Printing DLL
xpsrasterservice.dll  10.0.18362.1  XPS Rasterization Service Component
xpsservices.dll  10.0.18362.418  Xps Object Model in memory creation and deserialization
xwizards.dll  10.0.18362.1  Extensible Wizards Manager Module
xwreg.dll  10.0.18362.1  Extensible Wizard Registration Manager Module
xwtpdui.dll  10.0.18362.1  Extensible Wizard Type Plugin for DUI
xwtpw32.dll  10.0.18362.1  Extensible Wizard Type Plugin for Win32
zipcontainer.dll  10.0.18362.1  Zip Container DLL
zipfldr.dll  10.0.18362.1  Compressed (zipped) Folders
ztrace_maps.dll  10.0.18362.1  ZTrace Event Resources


Certificates

 
[ Certificate Authorities / Microsoft TPM Root Certificate Authority 2014 ]
 
Certificate Properties:
Version  V3
Signature Algorithm  SHA256 RSA (1.2.840.113549.1.1.11)
Serial Number  CB 5D 1E 50 69 C8 B8 49 BF 27 BF 0C 4E 30 B6 5D
Validity  12/11/2014 - 12/11/2039
MD5 Hash  91008B39FF9318C6B3B184476BEAA491
SHA1 Hash  D4FFDB19BA590FFFAA34DB5F4B568706A2978436
 
Issuer Properties:
Common Name  Microsoft TPM Root Certificate Authority 2014
Organization  Microsoft Corporation
Country  United States
Locality Name  Redmond
State/Province  Washington
 
Subject Properties:
Common Name  Microsoft TPM Root Certificate Authority 2014
Organization  Microsoft Corporation
Country  United States
Locality Name  Redmond
State/Province  Washington
 
Public Key Properties:
Public Key Algorithm  RSA (1.2.840.113549.1.1.1)
 
[ Certificate Authorities / Microsoft Windows Hardware Compatibility ]
 
Certificate Properties:
Version  V3
Signature Algorithm  MD5 RSA (1.2.840.113549.1.1.4)
Serial Number  A0 69 FE 8F 9A 3F D1 11 8B 19
Validity  10/1/1997 - 12/31/2002
MD5 Hash  09C254BDE4EA50F26D1497F29C51AF6D
SHA1 Hash  109F1CAED645BB78B3EA2B94C0697C740733031C
 
Issuer Properties:
Common Name  Microsoft Root Authority
Organizational Unit  Copyright (c) 1997 Microsoft Corp.
Organizational Unit  Microsoft Corporation
 
Subject Properties:
Common Name  Microsoft Windows Hardware Compatibility
Organizational Unit  Copyright (c) 1997 Microsoft Corp.
Organizational Unit  Microsoft Windows Hardware Compatibility Intermediate CA
Organizational Unit  Microsoft Corporation
 
Public Key Properties:
Public Key Algorithm  RSA (1.2.840.113549.1.1.1)
 
[ Certificate Authorities / NCU-INTC-KEYID-E7083F22152A7492EC59B0C4243437648B15DBB7 ]
 
Certificate Properties:
Version  V3
Signature Algorithm  SHA256 RSA (1.2.840.113549.1.1.11)
Serial Number  CB 02 00 00 00 00 95 48 BC 92 73 0E 7A CE CB 02 00 00 33
Validity  5/23/2019 - 5/23/2025
MD5 Hash  5F202F8C7598696AC9C0740AD87E98F3
SHA1 Hash  39EB7ED3A574AE5D5B576C4CE6D4D7C0D701DD8A
 
Issuer Properties:
Common Name  Microsoft TPM Root Certificate Authority 2014
Organization  Microsoft Corporation
Country  United States
Locality Name  Redmond
State/Province  Washington
 
Subject Properties:
Common Name  NCU-INTC-KEYID-E7083F22152A7492EC59B0C4243437648B15DBB7
 
Public Key Properties:
Public Key Algorithm  RSA (1.2.840.113549.1.1.1)
 
[ Certificate Authorities / Root Agency ]
 
Certificate Properties:
Version  V3
Signature Algorithm  MD5 RSA (1.2.840.113549.1.1.4)
Serial Number  F4 35 5C AA D4 B8 CF 11 8A 64 00 AA 00 6C 37 06
Validity  5/29/1996 - 1/1/2040
MD5 Hash  C0A723F0DA35026B21EDB17597F1D470
SHA1 Hash  FEE449EE0E3965A5246F000E87FDE2A065FD89D4
 
Issuer Properties:
Common Name  Root Agency
 
Subject Properties:
Common Name  Root Agency
 
Public Key Properties:
Public Key Algorithm  RSA (1.2.840.113549.1.1.1)
 
[ Certificate Authorities / USERTrust RSA Certification Authority ]
 
Certificate Properties:
Version  V3
Signature Algorithm  SHA384 RSA (1.2.840.113549.1.1.12)
Serial Number  36 43 61 80 09 63 36 0C ED EC F4 5B 70 28 EA 13
Validity  5/30/2000 - 5/30/2020
MD5 Hash  DB78CBD190952735D940BC80AC2432C0
SHA1 Hash  EAB040689A0D805B5D6FD654FC168CFF00B78BE3
 
Issuer Properties:
Common Name  AddTrust External CA Root
Organization  AddTrust AB
Organizational Unit  AddTrust External TTP Network
Country  Sweden
 
Subject Properties:
Common Name  USERTrust RSA Certification Authority
Organization  The USERTRUST Network
Country  United States
Locality Name  Jersey City
State/Province  New Jersey
 
Public Key Properties:
Public Key Algorithm  RSA (1.2.840.113549.1.1.1)
 
[ Certificate Authorities / www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign ]
 
Certificate Properties:
Version  V3
Signature Algorithm  SHA1 RSA (1.2.840.113549.1.1.5)
Serial Number  8F 07 93 3F 23 98 60 92 0F 2F D0 B4 BA EB FC 46
Validity  4/17/1997 - 10/25/2016
MD5 Hash  ACD80EA27BB72CE700DC22724A5F1E92
SHA1 Hash  D559A586669B08F46A30A133F8A9ED3D038E2EA8
 
Issuer Properties:
Organization  VeriSign, Inc.
Organizational Unit  Class 3 Public Primary Certification Authority
Country  United States
 
Subject Properties:
Organization  VeriSign Trust Network
Organizational Unit  VeriSign, Inc.
Organizational Unit  VeriSign International Server CA - Class 3
 
Public Key Properties:
Public Key Algorithm  RSA (1.2.840.113549.1.1.1)
 
[ Root Certificates / DigiCert Baltimore Root ]
 
Certificate Properties:
Version  V3
Signature Algorithm  SHA1 RSA (1.2.840.113549.1.1.5)
Serial Number  B9 00 00 02
Validity  5/13/2000 - 5/13/2025
MD5 Hash  ACB694A59C17E0D791529BB19706A6E4
SHA1 Hash  D4DE20D05E66FC53FE1A50882C78DB2852CAE474
 
Issuer Properties:
Common Name  Baltimore CyberTrust Root
Organization  Baltimore
Organizational Unit  CyberTrust
Country  Ireland
 
Subject Properties:
Common Name  Baltimore CyberTrust Root
Organization  Baltimore
Organizational Unit  CyberTrust
Country  Ireland
 
Public Key Properties:
Public Key Algorithm  RSA (1.2.840.113549.1.1.1)
 
[ Root Certificates / DigiCert Global Root G2 ]
 
Certificate Properties:
Version  V3
Signature Algorithm  SHA256 RSA (1.2.840.113549.1.1.11)
Serial Number  E5 FA 09 1D B1 64 28 BB A0 A9 11 A7 E6 F1 3A 03
Validity  8/1/2013 - 1/15/2038
MD5 Hash  E4A68AC854AC5242460AFD72481B2A44
SHA1 Hash  DF3C24F9BFD666761B268073FE06D1CC8D4F82A4
 
Issuer Properties:
Common Name  DigiCert Global Root G2
Organization  DigiCert Inc
Organizational Unit  www.digicert.com
Country  United States
 
Subject Properties:
Common Name  DigiCert Global Root G2
Organization  DigiCert Inc
Organizational Unit  www.digicert.com
Country  United States
 
Public Key Properties:
Public Key Algorithm  RSA (1.2.840.113549.1.1.1)
 
[ Root Certificates / DigiCert ]
 
Certificate Properties:
Version  V3
Signature Algorithm  SHA1 RSA (1.2.840.113549.1.1.5)
Serial Number  39 30 F0 1B FC 60 E5 8F FE 46 D8 17 E5 E0 E7 0C
Validity  11/10/2006 - 11/10/2031
MD5 Hash  87CE0B7B2A0E4900E158719B37A89372
SHA1 Hash  0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43
 
Issuer Properties:
Common Name  DigiCert Assured ID Root CA
Organization  DigiCert Inc
Organizational Unit  www.digicert.com
Country  United States
 
Subject Properties:
Common Name  DigiCert Assured ID Root CA
Organization  DigiCert Inc
Organizational Unit  www.digicert.com
Country  United States
 
Public Key Properties:
Public Key Algorithm  RSA (1.2.840.113549.1.1.1)
 
[ Root Certificates / DigiCert ]
 
Certificate Properties:
Version  V3
Signature Algorithm  SHA1 RSA (1.2.840.113549.1.1.5)
Serial Number  4A C7 91 59 C9 6A 75 A1 B1 46 42 90 56 E0 3B 08
Validity  11/10/2006 - 11/10/2031
MD5 Hash  79E4A9840D7D3A96D7C04FE2434C892E
SHA1 Hash  A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436
 
Issuer Properties:
Common Name  DigiCert Global Root CA
Organization  DigiCert Inc
Organizational Unit  www.digicert.com
Country  United States
 
Subject Properties:
Common Name  DigiCert Global Root CA
Organization  DigiCert Inc
Organizational Unit  www.digicert.com
Country  United States
 
Public Key Properties:
Public Key Algorithm  RSA (1.2.840.113549.1.1.1)
 
[ Root Certificates / DigiCert ]
 
Certificate Properties:
Version  V3
Signature Algorithm  SHA1 RSA (1.2.840.113549.1.1.5)
Serial Number  77 25 46 AE F2 79 0B 8F 9B 40 0B 6A 26 5C AC 02
Validity  11/10/2006 - 11/10/2031
MD5 Hash  D474DE575C39B2D39C8583C5C065498A
SHA1 Hash  5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25
 
Issuer Properties:
Common Name  DigiCert High Assurance EV Root CA
Organization  DigiCert Inc
Organizational Unit  www.digicert.com
Country  United States
 
Subject Properties:
Common Name  DigiCert High Assurance EV Root CA
Organization  DigiCert Inc
Organizational Unit  www.digicert.com
Country  United States
 
Public Key Properties:
Public Key Algorithm  RSA (1.2.840.113549.1.1.1)
 
[ Root Certificates / DST Root CA X3 ]
 
Certificate Properties:
Version  V3
Signature Algorithm  SHA1 RSA (1.2.840.113549.1.1.5)
Serial Number  6B 40 F8 2E 86 39 30 89 BA 27 A3 D6 80 B0 AF 44
Validity  10/1/2000 - 9/30/2021
MD5 Hash  410352DC0FF7501B16F0028EBA6F45C5
SHA1 Hash  DAC9024F54D8F6DF94935FB1732638CA6AD77C13
 
Issuer Properties:
Common Name  DST Root CA X3
Organization  Digital Signature Trust Co.
 
Subject Properties:
Common Name  DST Root CA X3
Organization  Digital Signature Trust Co.
 
Public Key Properties:
Public Key Algorithm  RSA (1.2.840.113549.1.1.1)
 
[ Root Certificates / GlobalSign Root CA - R1 ]
 
Certificate Properties:
Version  V3
Signature Algorithm  SHA1 RSA (1.2.840.113549.1.1.5)
Serial Number  94 C3 5A 4B 15 01 00 00 00 00 04
Validity  9/1/1998 - 1/28/2028
MD5 Hash  3E455215095192E1B75D379FB187298A
SHA1 Hash  B1BC968BD4F49D622AA89A81F2150152A41D829C
 
Issuer Properties:
Common Name  GlobalSign Root CA
Organization  GlobalSign nv-sa
Organizational Unit  Root CA
Country  Belgium
 
Subject Properties:
Common Name  GlobalSign Root CA
Organization  GlobalSign nv-sa
Organizational Unit  Root CA
Country  Belgium
 
Public Key Properties:
Public Key Algorithm  RSA (1.2.840.113549.1.1.1)
 
[ Root Certificates / GlobalSign Root CA - R3 ]
 
Certificate Properties:
Version  V3
Signature Algorithm  SHA256 RSA (1.2.840.113549.1.1.11)
Serial Number  A2 08 53 58 21 01 00 00 00 00 04
Validity  3/18/2009 - 3/18/2029
MD5 Hash  C5DFB849CA051355EE2DBA1AC33EB028
SHA1 Hash  D69B561148F01C77C54578C10926DF5B856976AD
 
Issuer Properties:
Common Name  GlobalSign
Organization  GlobalSign
Organizational Unit  GlobalSign Root CA - R3
 
Subject Properties:
Common Name  GlobalSign
Organization  GlobalSign
Organizational Unit  GlobalSign Root CA - R3
 
Public Key Properties:
Public Key Algorithm  RSA (1.2.840.113549.1.1.1)
 
[ Root Certificates / Go Daddy Class 2 Certification Authority ]
 
Certificate Properties:
Version  V3
Signature Algorithm  SHA1 RSA (1.2.840.113549.1.1.5)
Serial Number  00
Validity  6/30/2004 - 6/30/2034
MD5 Hash  91DE0625ABDAFD32170CBB25172A8467
SHA1 Hash  2796BAE63F1801E277261BA0D77770028F20EEE4
 
Issuer Properties:
Organization  The Go Daddy Group, Inc.
Organizational Unit  Go Daddy Class 2 Certification Authority
Country  United States
 
Subject Properties:
Organization  The Go Daddy Group, Inc.
Organizational Unit  Go Daddy Class 2 Certification Authority
Country  United States
 
Public Key Properties:
Public Key Algorithm  RSA (1.2.840.113549.1.1.1)
 
[ Root Certificates / Google Trust Services - GlobalSign Root CA-R2 ]
 
Certificate Properties:
Version  V3
Signature Algorithm  SHA1 RSA (1.2.840.113549.1.1.5)
Serial Number  0D E6 26 86 0F 01 00 00 00 00 04
Validity  12/15/2006 - 12/15/2021
MD5 Hash  9414777E3E5EFD8F30BD41B0CFE7D030
SHA1 Hash  75E0ABB6138512271C04F85FDDDE38E4B7242EFE
 
Issuer Properties:
Common Name  GlobalSign
Organization  GlobalSign
Organizational Unit  GlobalSign Root CA - R2
 
Subject Properties:
Common Name  GlobalSign
Organization  GlobalSign
Organizational Unit  GlobalSign Root CA - R2
 
Public Key Properties:
Public Key Algorithm  RSA (1.2.840.113549.1.1.1)
 
[ Root Certificates / Hotspot 2.0 Trust Root CA - 03 ]
 
Certificate Properties:
Version  V3
Signature Algorithm  SHA256 RSA (1.2.840.113549.1.1.11)
Serial Number  B7 ED 01 DE 89 09 B9 E0 33 A4 86 F2 70 0F B3 0C
Validity  12/8/2013 - 12/8/2043
MD5 Hash  EB1577B40B3C8BABAE346DD98EAD0780
SHA1 Hash  51501FBFCE69189D609CFAF140C576755DCC1FDF
 
Issuer Properties:
Common Name  Hotspot 2.0 Trust Root CA - 03
Organization  WFA Hotspot 2.0
Country  United States
 
Subject Properties:
Common Name  Hotspot 2.0 Trust Root CA - 03
Organization  WFA Hotspot 2.0
Country  United States
 
Public Key Properties:
Public Key Algorithm  RSA (1.2.840.113549.1.1.1)
 
[ Root Certificates / Microsoft Authenticode(tm) Root ]
 
Certificate Properties:
Version  V3
Signature Algorithm  MD5 RSA (1.2.840.113549.1.1.4)
Serial Number  01
Validity  1/1/1995 - 1/1/2000
MD5 Hash  DC6D6FAF897CDD17332FB5BA9035E9CE
SHA1 Hash  7F88CD7223F3C813818C994614A89C99FA3B5247
 
Issuer Properties:
Common Name  Microsoft Authenticode(tm) Root Authority
Organization  MSFT
Country  United States
 
Subject Properties:
Common Name  Microsoft Authenticode(tm) Root Authority
Organization  MSFT
Country  United States
 
Public Key Properties:
Public Key Algorithm  RSA (1.2.840.113549.1.1.1)
 
[ Root Certificates / Microsoft ECC Product Root Certificate Authority 2018 ]
 
Certificate Properties:
Version  V3
Signature Algorithm  1.2.840.10045.4.3.3
Serial Number  85 EC 99 B9 7B 67 53 40 8F CD 7C DC 66 26 98 14
Validity  2/28/2018 - 2/28/2043
MD5 Hash  1F124EDE13E06A023CD7C09A4F48C3D6
SHA1 Hash  06F1AA330B927B753A40E68CDF22E34BCBEF3352
 
Issuer Properties:
Common Name  Microsoft ECC Product Root Certificate Authority 2018
Organization  Microsoft Corporation
Country  United States
Locality Name  Redmond
State/Province  Washington
 
Subject Properties:
Common Name  Microsoft ECC Product Root Certificate Authority 2018
Organization  Microsoft Corporation
Country  United States
Locality Name  Redmond
State/Province  Washington
 
Public Key Properties:
Public Key Algorithm  1.2.840.10045.2.1
 
[ Root Certificates / Microsoft ECC TS Root Certificate Authority 2018 ]
 
Certificate Properties:
Version  V3
Signature Algorithm  1.2.840.10045.4.3.3
Serial Number  45 82 12 41 AF EF B4 47 B0 D1 7E 64 E1 75 38 15
Validity  2/28/2018 - 2/28/2043
MD5 Hash  37942958862A06E6BBCFD7AB59C7F23C
SHA1 Hash  31F9FC8BA3805986B721EA7295C65B3A44534274
 
Issuer Properties:
Common Name  Microsoft ECC TS Root Certificate Authority 2018
Organization  Microsoft Corporation
Country  United States
Locality Name  Redmond
State/Province  Washington
 
Subject Properties:
Common Name  Microsoft ECC TS Root Certificate Authority 2018
Organization  Microsoft Corporation
Country  United States
Locality Name  Redmond
State/Province  Washington
 
Public Key Properties:
Public Key Algorithm  1.2.840.10045.2.1
 
[ Root Certificates / Microsoft Root Authority ]
 
Certificate Properties:
Version  V3
Signature Algorithm  MD5 RSA (1.2.840.113549.1.1.4)
Serial Number  40 DF EC 63 F6 3E D1 11 88 3C 3C 8B 00 C1 00
Validity  1/10/1997 - 12/31/2020
MD5 Hash  2A954ECA79B2874573D92D90BAF99FB6
SHA1 Hash  A43489159A520F0D93D032CCAF37E7FE20A8B419
 
Issuer Properties:
Common Name  Microsoft Root Authority
Organizational Unit  Copyright (c) 1997 Microsoft Corp.
Organizational Unit  Microsoft Corporation
 
Subject Properties:
Common Name  Microsoft Root Authority
Organizational Unit  Copyright (c) 1997 Microsoft Corp.
Organizational Unit  Microsoft Corporation
 
Public Key Properties:
Public Key Algorithm  RSA (1.2.840.113549.1.1.1)
 
[ Root Certificates / Microsoft Root Certificate Authority 2010 ]
 
Certificate Properties:
Version  V3
Signature Algorithm  SHA256 RSA (1.2.840.113549.1.1.11)
Serial Number  AA 39 43 6B 58 9B 9A 44 AC 44 BA BF 25 3A CC 28
Validity  6/24/2010 - 6/24/2035
MD5 Hash  A266BB7DCC38A562631361BBF61DD11B
SHA1 Hash  3B1EFD3A66EA28B16697394703A72CA340A05BD5
 
Issuer Properties:
Common Name  Microsoft Root Certificate Authority 2010
Organization  Microsoft Corporation
Country  United States
Locality Name  Redmond
State/Province  Washington
 
Subject Properties:
Common Name  Microsoft Root Certificate Authority 2010
Organization  Microsoft Corporation
Country  United States
Locality Name  Redmond
State/Province  Washington
 
Public Key Properties:
Public Key Algorithm  RSA (1.2.840.113549.1.1.1)
 
[ Root Certificates / Microsoft Root Certificate Authority 2011 ]
 
Certificate Properties:
Version  V3
Signature Algorithm  SHA256 RSA (1.2.840.113549.1.1.11)
Serial Number  44 E1 42 6C D6 69 B5 43 96 B2 9F FC B5 C8 8B 3F
Validity  3/23/2011 - 3/23/2036
MD5 Hash  CE0490D5E56C34A5AE0BE98BE581185D
SHA1 Hash  8F43288AD272F3103B6FB1428485EA3014C0BCFE
 
Issuer Properties:
Common Name  Microsoft Root Certificate Authority 2011
Organization  Microsoft Corporation
Country  United States
Locality Name  Redmond
State/Province  Washington
 
Subject Properties:
Common Name  Microsoft Root Certificate Authority 2011
Organization  Microsoft Corporation
Country  United States
Locality Name  Redmond
State/Province  Washington
 
Public Key Properties:
Public Key Algorithm  RSA (1.2.840.113549.1.1.1)
 
[ Root Certificates / Microsoft Root Certificate Authority ]
 
Certificate Properties:
Version  V3
Signature Algorithm  SHA1 RSA (1.2.840.113549.1.1.5)
Serial Number  65 2E 13 07 F4 58 73 4C AD A5 A0 4A A1 16 AD 79
Validity  5/10/2001 - 5/10/2021
MD5 Hash  E1C07EA0AABBD4B77B84C228117808A7
SHA1 Hash  CDD4EEAE6000AC7F40C3802C171E30148030C072
 
Issuer Properties:
Common Name  Microsoft Root Certificate Authority
 
Subject Properties:
Common Name  Microsoft Root Certificate Authority
 
Public Key Properties:
Public Key Algorithm  RSA (1.2.840.113549.1.1.1)
 
[ Root Certificates / Microsoft Time Stamp Root Certificate Authority 2014 ]
 
Certificate Properties:
Version  V3
Signature Algorithm  SHA256 RSA (1.2.840.113549.1.1.11)
Serial Number  66 74 E2 3E 34 53 E9 45 90 32 93 22 43 7A D6 2F
Validity  10/23/2014 - 10/23/2039
MD5 Hash  34F72698D70E231F8DC45B57F118A44B
SHA1 Hash  0119E81BE9A14CD8E22F40AC118C687ECBA3F4D8
 
Issuer Properties:
Common Name  Microsoft Time Stamp Root Certificate Authority 2014
Organization  Microsoft Corporation
Country  United States
Locality Name  Redmond
State/Province  Washington
 
Subject Properties:
Common Name  Microsoft Time Stamp Root Certificate Authority 2014
Organization  Microsoft Corporation
Country  United States
Locality Name  Redmond
State/Province  Washington
 
Public Key Properties:
Public Key Algorithm  RSA (1.2.840.113549.1.1.1)
 
[ Root Certificates / Microsoft Timestamp Root ]
 
Certificate Properties:
Version  V1
Signature Algorithm  MD5 RSA (1.2.840.113549.1.1.4)
Serial Number  01
Validity  5/14/1997 - 12/31/1999
MD5 Hash  556EBEF54C1D7C0360C43418BC9649C1
SHA1 Hash  245C97DF7514E7CF2DF8BE72AE957B9E04741E85
 
Issuer Properties:
Organization  Microsoft Trust Network
Organizational Unit  Microsoft Corporation
Organizational Unit  Microsoft Time Stamping Service Root
 
Subject Properties:
Organization  Microsoft Trust Network
Organizational Unit  Microsoft Corporation
Organizational Unit  Microsoft Time Stamping Service Root
 
Public Key Properties:
Public Key Algorithm  RSA (1.2.840.113549.1.1.1)
 
[ Root Certificates / QuoVadis Root Certification Authority ]
 
Certificate Properties:
Version  V3
Signature Algorithm  SHA1 RSA (1.2.840.113549.1.1.5)
Serial Number  8B 50 B6 3A
Validity  3/20/2001 - 3/18/2021
MD5 Hash  27DE36FE72B70003009DF4F01E6C0424
SHA1 Hash  DE3F40BD5093D39B6C60F6DABC076201008976C9
 
Issuer Properties:
Common Name  QuoVadis Root Certification Authority
Organization  QuoVadis Limited
Organizational Unit  Root Certification Authority
Country  Bermuda
 
Subject Properties:
Common Name  QuoVadis Root Certification Authority
Organization  QuoVadis Limited
Organizational Unit  Root Certification Authority
Country  Bermuda
 
Public Key Properties:
Public Key Algorithm  RSA (1.2.840.113549.1.1.1)
 
[ Root Certificates / Sectigo (AddTrust) ]
 
Certificate Properties:
Version  V3
Signature Algorithm  SHA1 RSA (1.2.840.113549.1.1.5)
Serial Number  01
Validity  5/30/2000 - 5/30/2020
MD5 Hash  1D3554048578B03F42424DBF20730A3F
SHA1 Hash  02FAF3E291435468607857694DF5E45B68851868
 
Issuer Properties:
Common Name  AddTrust External CA Root
Organization  AddTrust AB
Organizational Unit  AddTrust External TTP Network
Country  Sweden
 
Subject Properties:
Common Name  AddTrust External CA Root
Organization  AddTrust AB
Organizational Unit  AddTrust External TTP Network
Country  Sweden
 
Public Key Properties:
Public Key Algorithm  RSA (1.2.840.113549.1.1.1)
 
[ Root Certificates / Sectigo (formerly Comodo CA) ]
 
Certificate Properties:
Version  V3
Signature Algorithm  SHA384 RSA (1.2.840.113549.1.1.12)
Serial Number  9D 86 03 5B D8 4E F7 1F E0 6F 63 DB CA F9 AA 4C
Validity  1/19/2010 - 1/19/2038
MD5 Hash  1B31B0714036CC143691ADC43EFDEC18
SHA1 Hash  AFE5D244A8D1194230FF479FE2F897BBCD7A8CB4
 
Issuer Properties:
Common Name  COMODO RSA Certification Authority
Organization  COMODO CA Limited
Country  United Kingdom
Locality Name  Salford
State/Province  Greater Manchester
 
Subject Properties:
Common Name  COMODO RSA Certification Authority
Organization  COMODO CA Limited
Country  United Kingdom
Locality Name  Salford
State/Province  Greater Manchester
 
Public Key Properties:
Public Key Algorithm  RSA (1.2.840.113549.1.1.1)
 
[ Root Certificates / Sectigo ]
 
Certificate Properties:
Version  V3
Signature Algorithm  SHA384 RSA (1.2.840.113549.1.1.12)
Serial Number  2D 03 35 0E 64 BC 1B A8 51 CA A3 FC 30 6D FD 01
Validity  2/1/2010 - 1/19/2038
MD5 Hash  1BFE69D191B71933A372A80FE155E5B5
SHA1 Hash  2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E
 
Issuer Properties:
Common Name  USERTrust RSA Certification Authority
Organization  The USERTRUST Network
Country  United States
Locality Name  Jersey City
State/Province  New Jersey
 
Subject Properties:
Common Name  USERTrust RSA Certification Authority
Organization  The USERTRUST Network
Country  United States
Locality Name  Jersey City
State/Province  New Jersey
 
Public Key Properties:
Public Key Algorithm  RSA (1.2.840.113549.1.1.1)
 
[ Root Certificates / Starfield Class 2 Certification Authority ]
 
Certificate Properties:
Version  V3
Signature Algorithm  SHA1 RSA (1.2.840.113549.1.1.5)
Serial Number  00
Validity  6/30/2004 - 6/30/2034
MD5 Hash  324A4BBBC863699BBE749AC6DD1D4624
SHA1 Hash  AD7E1C28B064EF8F6003402014C3D0E3370EB58A
 
Issuer Properties:
Organization  Starfield Technologies, Inc.
Organizational Unit  Starfield Class 2 Certification Authority
Country  United States
 
Subject Properties:
Organization  Starfield Technologies, Inc.
Organizational Unit  Starfield Class 2 Certification Authority
Country  United States
 
Public Key Properties:
Public Key Algorithm  RSA (1.2.840.113549.1.1.1)
 
[ Root Certificates / Symantec Enterprise Mobile Root for Microsoft ]
 
Certificate Properties:
Version  V3
Signature Algorithm  SHA256 RSA (1.2.840.113549.1.1.11)
Serial Number  CE D8 F4 BD A9 29 66 0F 7B 90 BF 9E 2F 55 6B 0F
Validity  3/15/2012 - 3/15/2032
MD5 Hash  71D0A5FF2D59741694BEE37D1E5C860B
SHA1 Hash  92B46C76E13054E104F230517E6E504D43AB10B5
 
Issuer Properties:
Common Name  Symantec Enterprise Mobile Root for Microsoft
Organization  Symantec Corporation
Country  United States
 
Subject Properties:
Common Name  Symantec Enterprise Mobile Root for Microsoft
Organization  Symantec Corporation
Country  United States
 
Public Key Properties:
Public Key Algorithm  RSA (1.2.840.113549.1.1.1)
 
[ Root Certificates / Thawte Timestamping CA ]
 
Certificate Properties:
Version  V3
Signature Algorithm  MD5 RSA (1.2.840.113549.1.1.4)
Serial Number  00
Validity  1/1/1997 - 1/1/2021
MD5 Hash  7F667A71D3EB6978209A51149D83DA20
SHA1 Hash  BE36A4562FB2EE05DBB3D32323ADF445084ED656
 
Issuer Properties:
Common Name  Thawte Timestamping CA
Organization  Thawte
Organizational Unit  Thawte Certification
Country  South Africa
Locality Name  Durbanville
State/Province  Western Cape
 
Subject Properties:
Common Name  Thawte Timestamping CA
Organization  Thawte
Organizational Unit  Thawte Certification
Country  South Africa
Locality Name  Durbanville
State/Province  Western Cape
 
Public Key Properties:
Public Key Algorithm  RSA (1.2.840.113549.1.1.1)
 
[ Root Certificates / Trustwave ]
 
Certificate Properties:
Version  V3
Signature Algorithm  SHA1 RSA (1.2.840.113549.1.1.5)
Serial Number  D0 59 18 27 EB F0 7F 42 AD A5 16 08 5C 8E F0 0C
Validity  11/8/2006 - 1/1/2030
MD5 Hash  DC32C3A76D2557C768099DEA2DA9A2D1
SHA1 Hash  8782C6C304353BCFD29692D2593E7D44D934FF11
 
Issuer Properties:
Common Name  SecureTrust CA
Organization  SecureTrust Corporation
Country  United States
 
Subject Properties:
Common Name  SecureTrust CA
Organization  SecureTrust Corporation
Country  United States
 
Public Key Properties:
Public Key Algorithm  RSA (1.2.840.113549.1.1.1)
 
[ Root Certificates / VeriSign Class 3 Public Primary CA ]
 
Certificate Properties:
Version  V1
Signature Algorithm  MD2 RSA (1.2.840.113549.1.1.2)
Serial Number  BF BA CC 03 7B CA 38 B6 34 29 D9 10 1D E4 BA 70
Validity  1/29/1996 - 8/2/2028
MD5 Hash  10FC635DF6263E0DF325BE5F79CD6767
SHA1 Hash  742C3192E607E424EB4549542BE1BBC53E6174E2
 
Issuer Properties:
Organization  VeriSign, Inc.
Organizational Unit  Class 3 Public Primary Certification Authority
Country  United States
 
Subject Properties:
Organization  VeriSign, Inc.
Organizational Unit  Class 3 Public Primary Certification Authority
Country  United States
 
Public Key Properties:
Public Key Algorithm  RSA (1.2.840.113549.1.1.1)
 
[ Root Certificates / VeriSign Time Stamping CA ]
 
Certificate Properties:
Version  V1
Signature Algorithm  MD5 RSA (1.2.840.113549.1.1.4)
Serial Number  A3 DC 5D 15 5F 73 5D A5 1C 59 82 8C 38 D2 19 4A
Validity  5/12/1997 - 1/8/2004
MD5 Hash  EBB04F1D3A2E372F1DDA6E27D6B680FA
SHA1 Hash  18F7C1FCC3090203FD5BAA2F861A754976C8DD25
 
Issuer Properties:
Organization  VeriSign Trust Network
Organizational Unit  VeriSign, Inc.
Organizational Unit  VeriSign Time Stamping Service Root
Organizational Unit  NO LIABILITY ACCEPTED, (c)97 VeriSign, Inc.
 
Subject Properties:
Organization  VeriSign Trust Network
Organizational Unit  VeriSign, Inc.
Organizational Unit  VeriSign Time Stamping Service Root
Organizational Unit  NO LIABILITY ACCEPTED, (c)97 VeriSign, Inc.
 
Public Key Properties:
Public Key Algorithm  RSA (1.2.840.113549.1.1.1)
 
[ Root Certificates / VeriSign Universal Root Certification Authority ]
 
Certificate Properties:
Version  V3
Signature Algorithm  SHA256 RSA (1.2.840.113549.1.1.11)
Serial Number  1D C5 1A 12 E4 BB 0E 03 21 13 B3 21 64 C4 1A 40
Validity  4/2/2008 - 12/2/2037
MD5 Hash  8EADB501AA4D81E48C1DD1E114009519
SHA1 Hash  3679CA35668772304D30A5FB873B0FA77BB70D54
 
Issuer Properties:
Common Name  VeriSign Universal Root Certification Authority
Organization  VeriSign, Inc.
Organizational Unit  VeriSign Trust Network
Organizational Unit  (c) 2008 VeriSign, Inc. - For authorized use only
Country  United States
 
Subject Properties:
Common Name  VeriSign Universal Root Certification Authority
Organization  VeriSign, Inc.
Organizational Unit  VeriSign Trust Network
Organizational Unit  (c) 2008 VeriSign, Inc. - For authorized use only
Country  United States
 
Public Key Properties:
Public Key Algorithm  RSA (1.2.840.113549.1.1.1)
 
[ Root Certificates / VeriSign ]
 
Certificate Properties:
Version  V3
Signature Algorithm  SHA1 RSA (1.2.840.113549.1.1.5)
Serial Number  4A 3B 6B CC CD 58 21 4A BB E8 7D 26 9E D1 DA 18
Validity  11/8/2006 - 7/17/2036
MD5 Hash  CB17E431673EE209FE455793F30AFA1C
SHA1 Hash  4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5
 
Issuer Properties:
Common Name  VeriSign Class 3 Public Primary Certification Authority - G5
Organization  VeriSign, Inc.
Organizational Unit  VeriSign Trust Network
Organizational Unit  (c) 2006 VeriSign, Inc. - For authorized use only
Country  United States
 
Subject Properties:
Common Name  VeriSign Class 3 Public Primary Certification Authority - G5
Organization  VeriSign, Inc.
Organizational Unit  VeriSign Trust Network
Organizational Unit  (c) 2006 VeriSign, Inc. - For authorized use only
Country  United States
 
Public Key Properties:
Public Key Algorithm  RSA (1.2.840.113549.1.1.1)


UpTime

 
Current Session:
Last Shutdown Time  3/18/2020 12:15:11 PM
Last Boot Time  3/18/2020 1:10:38 PM
Last DownTime  3327 sec (0 days, 0 hours, 55 min, 27 sec)
Current Time  3/18/2020 1:30:05 PM
UpTime  1168 sec (0 days, 0 hours, 19 min, 27 sec)
 
UpTime Statistics:
First Boot Time  3/18/2020 10:09:56 AM
First Shutdown Time  3/18/2020 10:09:46 AM
Total UpTime  8503 sec (0 days, 2 hours, 21 min, 42 sec)
Total DownTime  3517 sec (0 days, 0 hours, 58 min, 37 sec)
Longest UpTime  2771 sec (0 days, 0 hours, 46 min, 11 sec)
Longest DownTime  3327 sec (0 days, 0 hours, 55 min, 27 sec)
Total Reboots  9
System Availability  70.74%
 
Bluescreen Statistics:
Total Bluescreens  0
 
Information:
Information  The above statistics are based on System Event Log entries


Share

 
Share Name  Type  Remark  Local Path
ADMIN$  Folder  Remote Admin  C:\Windows
C$  Folder  Default share  C:\
D$  Folder  Default share  D:\
IPC$  IPC  Remote IPC  


Account Security

 
Account Security Properties:
Computer Role  Primary
Domain Name  DESKTOP-UT5JEJD
Primary Domain Controller  Not Specified
Forced Logoff Time  Disabled
Min / Max Password Age  0 / 42 days
Minimum Password Length  0 chars
Password History Length  Disabled
Lockout Threshold  Disabled
Lockout Duration  30 min
Lockout Observation Window  30 min


Logon

 
User  Full Name  Logon Server  Logon Domain
redblue    DESKTOP-UT5JEJD  DESKTOP-UT5JEJD
redblue    DESKTOP-UT5JEJD  DESKTOP-UT5JEJD


Users

 
[ Administrator ]
 
User Properties:
User Name  Administrator
Full Name  Administrator
Comment  Built-in account for administering the computer/domain
Member Of Groups  Administrators
Logon Count  19
Disk Quota  -
 
User Features:
Logon Script Executed  Yes
Account Disabled  Yes
Locked Out User  No
Home Folder Required  No
Password Required  Yes
Read-Only Password  No
Password Never Expires  Yes
 
[ DefaultAccount ]
 
User Properties:
User Name  DefaultAccount
Full Name  DefaultAccount
Comment  A user account managed by the system.
Member Of Groups  System Managed Accounts Group
Logon Count  0
Disk Quota  -
 
User Features:
Logon Script Executed  Yes
Account Disabled  Yes
Locked Out User  No
Home Folder Required  No
Password Required  No
Read-Only Password  No
Password Never Expires  Yes
 
[ Guest ]
 
User Properties:
User Name  Guest
Full Name  Guest
Comment  Built-in account for guest access to the computer/domain
Member Of Groups  Guests
Logon Count  0
Disk Quota  -
 
User Features:
Logon Script Executed  Yes
Account Disabled  Yes
Locked Out User  No
Home Folder Required  No
Password Required  No
Read-Only Password  Yes
Password Never Expires  Yes
 
[ redblue ]
 
User Properties:
User Name  redblue
Full Name  redblue
Member Of Groups  Administrators
Logon Count  13
Disk Quota  -
 
User Features:
Logon Script Executed  Yes
Account Disabled  No
Locked Out User  No
Home Folder Required  No
Password Required  No
Read-Only Password  No
Password Never Expires  Yes
 
[ WDAGUtilityAccount ]
 
User Properties:
User Name  WDAGUtilityAccount
Full Name  WDAGUtilityAccount
Comment  A user account managed and used by the system for Windows Defender Application Guard scenarios.
Logon Count  0
Disk Quota  -
 
User Features:
Logon Script Executed  Yes
Account Disabled  Yes
Locked Out User  No
Home Folder Required  No
Password Required  Yes
Read-Only Password  No
Password Never Expires  No


Local Groups

 
[ Administrators ]
 
Local Group Properties:
Comment  Administrators have complete and unrestricted access to the computer/domain
 
Group Members:
Administrator  
redblue  
 
[ Device Owners ]
 
Local Group Properties:
Comment  Members of this group can change system-wide settings.
 
[ Distributed COM Users ]
 
Local Group Properties:
Comment  Members are allowed to launch, activate and use Distributed COM objects on this machine.
 
[ Event Log Readers ]
 
Local Group Properties:
Comment  Members of this group can read event logs from local machine
 
[ Guests ]
 
Local Group Properties:
Comment  Guests have the same access as members of the Users group by default, except for the Guest account which is further restricted
 
Group Members:
Guest  
 
[ Hyper-V Administrators ]
 
Local Group Properties:
Comment  Members of this group have complete and unrestricted access to all features of Hyper-V.
 
[ IIS_IUSRS ]
 
Local Group Properties:
Comment  Built-in group used by Internet Information Services.
 
Group Members:
IUSR  
 
[ Performance Log Users ]
 
Local Group Properties:
Comment  Members of this group may schedule logging of performance counters, enable trace providers, and collect event traces both locally and via remote access to this computer
 
[ Performance Monitor Users ]
 
Local Group Properties:
Comment  Members of this group can access performance counter data locally and remotely
 
[ Remote Management Users ]
 
Local Group Properties:
Comment  Members of this group can access WMI resources over management protocols (such as WS-Management via the Windows Remote Management service). This applies only to WMI namespaces that grant access to the user.
 
[ System Managed Accounts Group ]
 
Local Group Properties:
Comment  Members of this group are managed by the system.
 
Group Members:
DefaultAccount  
 
[ Users ]
 
Local Group Properties:
Comment  Users are prevented from making accidental or intentional system-wide changes and can run most applications
 
Group Members:
Authenticated Users  
INTERACTIVE  


Global Groups

 
[ None ]
 
Global Group Properties:
Comment  Ordinary users
 
Group Members:
Administrator  
DefaultAccount  
Guest  
redblue  
WDAGUtilityAccount  


Windows Video

 
[ Intel(R) Iris(R) Plus Graphics ]
 
Video Adapter Properties:
Device Description  Intel(R) Iris(R) Plus Graphics
Adapter String  Intel(R) Iris(R) Plus Graphics
BIOS String  Intel Video BIOS
Chip Type  Intel(R) Iris(R) Graphics Family
DAC Type  Internal
Driver Date  11/6/2019
Driver Version  26.20.100.7463
Driver Provider  Intel Corporation
Memory Size  1 GB
 
Installed Drivers:
igdumdim64  
igd10iumd64  
igd10iumd64  
igd12umd64  
igdumdim32  
igd10iumd32  
igd10iumd32  
igd12umd32  
 
Video Adapter Manufacturer:
Company Name  Intel Corporation
Product Information  https://www.intel.com/products/chipsets
Driver Download  https://www.intel.com/support/graphics
Driver Update  http://www.aida64.com/goto/?p=drvupdates
 
[ Intel(R) Iris(R) Plus Graphics ]
 
Video Adapter Properties:
Device Description  Intel(R) Iris(R) Plus Graphics
Adapter String  Intel(R) Iris(R) Plus Graphics
BIOS String  Intel Video BIOS
Chip Type  Intel(R) Iris(R) Graphics Family
DAC Type  Internal
Driver Date  11/6/2019
Driver Version  26.20.100.7463
Driver Provider  Intel Corporation
Memory Size  1 GB
 
Installed Drivers:
igdumdim64  
igd10iumd64  
igd10iumd64  
igd12umd64  
igdumdim32  
igd10iumd32  
igd10iumd32  
igd12umd32  
 
Video Adapter Manufacturer:
Company Name  Intel Corporation
Product Information  https://www.intel.com/products/chipsets
Driver Download  https://www.intel.com/support/graphics
Driver Update  http://www.aida64.com/goto/?p=drvupdates
 
[ Intel(R) Iris(R) Plus Graphics ]
 
Video Adapter Properties:
Device Description  Intel(R) Iris(R) Plus Graphics
Adapter String  Intel(R) Iris(R) Plus Graphics
BIOS String  Intel Video BIOS
Chip Type  Intel(R) Iris(R) Graphics Family
DAC Type  Internal
Driver Date  11/6/2019
Driver Version  26.20.100.7463
Driver Provider  Intel Corporation
Memory Size  1 GB
 
Installed Drivers:
igdumdim64  
igd10iumd64  
igd10iumd64  
igd12umd64  
igdumdim32  
igd10iumd32  
igd10iumd32  
igd12umd32  
 
Video Adapter Manufacturer:
Company Name  Intel Corporation
Product Information  https://www.intel.com/products/chipsets
Driver Download  https://www.intel.com/support/graphics
Driver Update  http://www.aida64.com/goto/?p=drvupdates
 
[ Intel(R) Iris(R) Plus Graphics ]
 
Video Adapter Properties:
Device Description  Intel(R) Iris(R) Plus Graphics
Adapter String  Intel(R) Iris(R) Plus Graphics
BIOS String  Intel Video BIOS
Chip Type  Intel(R) Iris(R) Graphics Family
DAC Type  Internal
Driver Date  11/6/2019
Driver Version  26.20.100.7463
Driver Provider  Intel Corporation
Memory Size  1 GB
 
Installed Drivers:
igdumdim64  
igd10iumd64  
igd10iumd64  
igd12umd64  
igdumdim32  
igd10iumd32  
igd10iumd32  
igd12umd32  
 
Video Adapter Manufacturer:
Company Name  Intel Corporation
Product Information  https://www.intel.com/products/chipsets
Driver Download  https://www.intel.com/support/graphics
Driver Update  http://www.aida64.com/goto/?p=drvupdates
 
[ Intel(R) Iris(R) Plus Graphics ]
 
Video Adapter Properties:
Device Description  Intel(R) Iris(R) Plus Graphics
Adapter String  Intel(R) Iris(R) Plus Graphics
BIOS String  Intel Video BIOS
Chip Type  Intel(R) Iris(R) Graphics Family
DAC Type  Internal
Driver Date  11/6/2019
Driver Version  26.20.100.7463
Driver Provider  Intel Corporation
Memory Size  1 GB
 
Installed Drivers:
igdumdim64  
igd10iumd64  
igd10iumd64  
igd12umd64  
igdumdim32  
igd10iumd32  
igd10iumd32  
igd12umd32  
 
Video Adapter Manufacturer:
Company Name  Intel Corporation
Product Information  https://www.intel.com/products/chipsets
Driver Download  https://www.intel.com/support/graphics
Driver Update  http://www.aida64.com/goto/?p=drvupdates
 
[ Intel(R) Iris(R) Plus Graphics ]
 
Video Adapter Properties:
Device Description  Intel(R) Iris(R) Plus Graphics
Adapter String  Intel(R) Iris(R) Plus Graphics
BIOS String  Intel Video BIOS
Chip Type  Intel(R) Iris(R) Graphics Family
DAC Type  Internal
Driver Date  11/6/2019
Driver Version  26.20.100.7463
Driver Provider  Intel Corporation
Memory Size  1 GB
 
Installed Drivers:
igdumdim64  
igd10iumd64  
igd10iumd64  
igd12umd64  
igdumdim32  
igd10iumd32  
igd10iumd32  
igd12umd32  
 
Video Adapter Manufacturer:
Company Name  Intel Corporation
Product Information  https://www.intel.com/products/chipsets
Driver Download  https://www.intel.com/support/graphics
Driver Update  http://www.aida64.com/goto/?p=drvupdates
 
[ Intel(R) Iris(R) Plus Graphics ]
 
Video Adapter Properties:
Device Description  Intel(R) Iris(R) Plus Graphics
Adapter String  Intel(R) Iris(R) Plus Graphics
BIOS String  Intel Video BIOS
Chip Type  Intel(R) Iris(R) Graphics Family
DAC Type  Internal
Driver Date  11/6/2019
Driver Version  26.20.100.7463
Driver Provider  Intel Corporation
Memory Size  1 GB
 
Installed Drivers:
igdumdim64  
igd10iumd64  
igd10iumd64  
igd12umd64  
igdumdim32  
igd10iumd32  
igd10iumd32  
igd12umd32  
 
Video Adapter Manufacturer:
Company Name  Intel Corporation
Product Information  https://www.intel.com/products/chipsets
Driver Download  https://www.intel.com/support/graphics
Driver Update  http://www.aida64.com/goto/?p=drvupdates
 
[ Intel(R) Iris(R) Plus Graphics ]
 
Video Adapter Properties:
Device Description  Intel(R) Iris(R) Plus Graphics
Adapter String  Intel(R) Iris(R) Plus Graphics
BIOS String  Intel Video BIOS
Chip Type  Intel(R) Iris(R) Graphics Family
DAC Type  Internal
Driver Date  11/6/2019
Driver Version  26.20.100.7463
Driver Provider  Intel Corporation
Memory Size  1 GB
 
Installed Drivers:
igdumdim64  
igd10iumd64  
igd10iumd64  
igd12umd64  
igdumdim32  
igd10iumd32  
igd10iumd32  
igd12umd32  
 
Video Adapter Manufacturer:
Company Name  Intel Corporation
Product Information  https://www.intel.com/products/chipsets
Driver Download  https://www.intel.com/support/graphics
Driver Update  http://www.aida64.com/goto/?p=drvupdates


GPU

 
[ Integrated: Intel Ice Lake-U GT2 64EU - Integrated Graphics Controller ]
 
Graphics Processor Properties:
Video Adapter  Intel Ice Lake-U GT2 64EU - Integrated Graphics Controller
GPU Code Name  Ice Lake-U GT2 64EU
PCI Device  8086-8A52 / 1854-0361 (Rev 07)
Process Technology  10 nm
Bus Type  Integrated
GPU Clock  300 MHz
GPU Clock (Unslice)  300 MHz
GPU Clock (Turbo)  300 - 1100 MHz
RAMDAC Clock  350 MHz
Pixel Pipelines  8
TMU Per Pipeline  1
Unified Shaders  256 (v6.4)
DirectX Hardware Support  DirectX v12
WDDM Version  WDDM 2.6
 
Architecture:
Architecture  Intel Gen11
Execution Units (EU)  64
 
Theoretical Peak Performance:
Pixel Fillrate  2400 MPixel/s @ 300 MHz
Texel Fillrate  2400 MTexel/s @ 300 MHz
Single-Precision FLOPS  307.2 GFLOPS @ 300 MHz
 
Utilization:
Dedicated Memory  0 MB
Dynamic Memory  201 MB
 
Graphics Processor Manufacturer:
Company Name  Intel Corporation
Product Information  https://www.intel.com/products/chipsets
Driver Download  https://www.intel.com/support/graphics
Driver Update  http://www.aida64.com/goto/?p=drvupdates


Monitor

 
[ LG Philips LP170WQ1-SPA1 ]
 
Monitor Properties:
Monitor Name  LG Philips LP170WQ1-SPA1
Monitor ID  LGD05F8
Manufacturer  LG Display
Model  LP170WQ1-SPA1
Monitor Type  17" LCD (WQXGA)
Manufacture Date  2018
Serial Number  None
Max. Visible Display Size  366 mm x 229 mm (17.0")
Picture Aspect Ratio  16:10
Maximum Resolution  2560 x 1600
Pixel Density  178 ppi
Gamma  2.20
DPMS Mode Support  None
 
Supported Video Modes:
2560 x 1600  Pixel Clock: 268.60 MHz
 
Monitor Manufacturer:
Company Name  LG Electronics
Product Information  http://www.lg.com/us/monitors
Driver Download  http://www.lg.com/us/support
Driver Update  http://www.aida64.com/goto/?p=drvupdates


Desktop

 
Desktop Properties:
Device Technology  Raster Display
Resolution  2560 x 1600
Color Depth  32-bit
Color Planes  1
Font Resolution  144 dpi
Taskbar Button Combining  Always, hide labels
Pixel Width / Height  36 / 36
Pixel Diagonal  51
Vertical Refresh Rate  60 Hz
Desktop Wallpaper  C:\Windows\web\wallpaper\LG\LG_WallPaper1.jpg
 
Desktop Effects:
Combo-Box Animation  Enabled
Dark Mode  Enabled
Drop Shadow Effect  Enabled
Flat Menu Effect  Enabled
Font Smoothing  Enabled
ClearType  Enabled
Full Window Dragging  Enabled
Gradient Window Title Bars  Enabled
Hide Menu Access Keys  Enabled
Hot Tracking Effect  Enabled
Icon Title Wrapping  Enabled
List-Box Smooth Scrolling  Enabled
Menu Animation  Enabled
Menu Fade Effect  Enabled
Minimize/Restore Animation  Enabled
Mouse Cursor Shadow  Disabled
Selection Fade Effect  Enabled
ShowSounds Accessibility Feature  Disabled
Small Taskbar Buttons  Disabled
Taskbar Button Badges  Enabled
Taskbar Locked  Yes
ToolTip Animation  Enabled
ToolTip Fade Effect  Enabled
Windows Aero  Enabled
Windows Plus! Extension  Disabled


Multi-Monitor

 
Device ID  Primary  Upper Left Corner  Bottom Right Corner
\\.\DISPLAY1  Yes  (0,0)  (2560,1600)


Video Modes

 
Resolution  Color Depth  Refresh Rate
640 x 480  32-bit  60 Hz
640 x 480  32-bit  60 Hz
640 x 480  32-bit  60 Hz
800 x 600  32-bit  60 Hz
800 x 600  32-bit  60 Hz
800 x 600  32-bit  60 Hz
1024 x 768  32-bit  60 Hz
1024 x 768  32-bit  60 Hz
1024 x 768  32-bit  60 Hz
1152 x 864  32-bit  60 Hz
1152 x 864  32-bit  60 Hz
1152 x 864  32-bit  60 Hz
1280 x 600  32-bit  60 Hz
1280 x 600  32-bit  60 Hz
1280 x 600  32-bit  60 Hz
1280 x 720  32-bit  60 Hz
1280 x 720  32-bit  60 Hz
1280 x 720  32-bit  60 Hz
1280 x 768  32-bit  60 Hz
1280 x 768  32-bit  60 Hz
1280 x 768  32-bit  60 Hz
1280 x 800  32-bit  60 Hz
1280 x 800  32-bit  60 Hz
1280 x 800  32-bit  60 Hz
1280 x 960  32-bit  60 Hz
1280 x 960  32-bit  60 Hz
1280 x 960  32-bit  60 Hz
1280 x 1024  32-bit  60 Hz
1280 x 1024  32-bit  60 Hz
1280 x 1024  32-bit  60 Hz
1360 x 768  32-bit  60 Hz
1360 x 768  32-bit  60 Hz
1360 x 768  32-bit  60 Hz
1366 x 768  32-bit  60 Hz
1366 x 768  32-bit  60 Hz
1366 x 768  32-bit  60 Hz
1400 x 1050  32-bit  60 Hz
1400 x 1050  32-bit  60 Hz
1400 x 1050  32-bit  60 Hz
1440 x 900  32-bit  60 Hz
1440 x 900  32-bit  60 Hz
1440 x 900  32-bit  60 Hz
1600 x 900  32-bit  60 Hz
1600 x 900  32-bit  60 Hz
1600 x 900  32-bit  60 Hz
1600 x 1200  32-bit  60 Hz
1600 x 1200  32-bit  60 Hz
1600 x 1200  32-bit  60 Hz
1680 x 1050  32-bit  60 Hz
1680 x 1050  32-bit  60 Hz
1680 x 1050  32-bit  60 Hz
1792 x 1344  32-bit  60 Hz
1792 x 1344  32-bit  60 Hz
1792 x 1344  32-bit  60 Hz
1856 x 1392  32-bit  60 Hz
1856 x 1392  32-bit  60 Hz
1856 x 1392  32-bit  60 Hz
1920 x 1080  32-bit  60 Hz
1920 x 1080  32-bit  60 Hz
1920 x 1080  32-bit  60 Hz
1920 x 1200  32-bit  60 Hz
1920 x 1200  32-bit  60 Hz
1920 x 1200  32-bit  60 Hz
1920 x 1440  32-bit  60 Hz
1920 x 1440  32-bit  60 Hz
1920 x 1440  32-bit  60 Hz
2048 x 1152  32-bit  60 Hz
2048 x 1152  32-bit  60 Hz
2048 x 1152  32-bit  60 Hz
2048 x 1536  32-bit  60 Hz
2048 x 1536  32-bit  60 Hz
2048 x 1536  32-bit  60 Hz
2560 x 1600  32-bit  60 Hz


OpenGL

 
OpenGL Properties:
Vendor  Intel
Renderer  Intel(R) Iris(R) Plus Graphics
Version  4.6.0 - Build 26.20.100.7463
Shading Language Version  4.60 - Build 26.20.100.7463
OpenGL DLL  10.0.18362.387(WinBuild.160101.0800)
Multitexture Texture Units  8
Occlusion Query Counter Bits  64
Sub-Pixel Precision  8-bit
Max Viewport Size  16384 x 16384
Max Cube Map Texture Size  16384 x 16384
Max Rectangle Texture Size  16384 x 16384
Max 3D Texture Size  2048 x 2048 x 2048
Max Anisotropy  16
Max Clipping Planes  8
Max Display-List Nesting Level  64
Max Draw Buffers  8
Max Evaluator Order  32
Max Light Sources  8
Max Pixel Map Table Size  65536
Min / Max Program Texel Offset  -8 / 7
Max Texture Array Layers  2048
Max Texture LOD Bias  15
 
OpenGL Compliancy:
OpenGL 1.1  Yes (100%)
OpenGL 1.2  Yes (100%)
OpenGL 1.3  Yes (100%)
OpenGL 1.4  Yes (100%)
OpenGL 1.5  Yes (100%)
OpenGL 2.0  Yes (100%)
OpenGL 2.1  Yes (100%)
OpenGL 3.0  Yes (100%)
OpenGL 3.1  Yes (100%)
OpenGL 3.2  Yes (100%)
OpenGL 3.3  Yes (100%)
OpenGL 4.0  Yes (100%)
OpenGL 4.1  Yes (100%)
OpenGL 4.2  Yes (100%)
OpenGL 4.3  Yes (100%)
OpenGL 4.4  Yes (100%)
OpenGL 4.5  Yes (100%)
OpenGL 4.6  Yes (100%)
 
Max Stack Depth:
Attribute Stack  16
Client Attribute Stack  16
Modelview Matrix Stack  32
Name Stack  128
Projection Matrix Stack  4
Texture Matrix Stack  10
 
Draw Range Elements:
Max Index Count  1048576
Max Vertex Count  1048576
 
Transform Feedback:
Max Interleaved Components  128
Max Separate Attributes  4
Max Separate Components  4
 
Framebuffer Object:
Max Color Attachments  8
Max Render Buffer Size  16384 x 16384
 
Vertex Shader:
Max Uniform Vertex Components  4096
Max Varying Floats  64
Max Vertex Texture Image Units  32
Max Combined Texture Image Units  192
 
Geometry Shader:
Max Geometry Texture Units  32
Max Varying Components  64
Max Geometry Varying Components  64
Max Vertex Varying Components  32
Max Geometry Uniform Components  4096
Max Geometry Output Vertices  256
Max Geometry Total Output Components  1024
 
Fragment Shader:
Max Uniform Fragment Components  4096
 
Vertex Program:
Max Local Parameters  256
Max Environment Parameters  300
Max Program Matrices  8
Max Program Matrix Stack Depth  2
Max Vertex Attributes  16
Max Instructions  1024
Max Native Instructions  1024
Max Temporaries  31
Max Native Temporaries  31
Max Parameters  512
Max Native Parameters  400
Max Attributes  16
Max Native Attributes  16
Max Address Registers  1
Max Native Address Registers  1
 
Fragment Program:
Max Local Parameters  256
Max Environment Parameters  256
Max Texture Coordinates  8
Max Texture Image Units  32
Max Instructions  1447
Max Native Instructions  1447
Max Temporaries  256
Max Native Temporaries  256
Max Parameters  512
Max Native Parameters  32
Max Attributes  13
Max Native Attributes  13
Max Address Registers  0
Max Native Address Registers  0
Max ALU Instructions  1447
Max Native ALU Instructions  1447
Max Texture Instructions  1447
Max Native Texture Instructions  1447
Max Texture Indirections  128
Max Native Texture Indirections  128
 
OpenGL Extensions:
Total / Supported Extensions  1073 / 250
GL_3DFX_multisample  Not Supported
GL_3DFX_tbuffer  Not Supported
GL_3DFX_texture_compression_FXT1  Supported
GL_3DL_direct_texture_access2  Not Supported
GL_3Dlabs_multisample_transparency_id  Not Supported
GL_3Dlabs_multisample_transparency_range  Not Supported
GL_AMD_blend_minmax_factor  Not Supported
GL_AMD_compressed_3DC_texture  Not Supported
GL_AMD_compressed_ATC_texture  Not Supported
GL_AMD_conservative_depth  Not Supported
GL_AMD_debug_output  Not Supported
GL_AMD_depth_clamp_separate  Supported
GL_AMD_draw_buffers_blend  Not Supported
GL_AMD_framebuffer_sample_positions  Not Supported
GL_AMD_gcn_shader  Not Supported
GL_AMD_gpu_shader_half_float  Not Supported
GL_AMD_gpu_shader_half_float_fetch  Not Supported
GL_AMD_gpu_shader_half_float2  Not Supported
GL_AMD_gpu_shader_int16  Not Supported
GL_AMD_gpu_shader_int64  Not Supported
GL_AMD_interleaved_elements  Not Supported
GL_AMD_multi_draw_indirect  Not Supported
GL_AMD_name_gen_delete  Not Supported
GL_AMD_occlusion_query_event  Not Supported
GL_AMD_performance_monitor  Not Supported
GL_AMD_pinned_memory  Not Supported
GL_AMD_program_binary_Z400  Not Supported
GL_AMD_query_buffer_object  Not Supported
GL_AMD_sample_positions  Not Supported
GL_AMD_seamless_cubemap_per_texture  Not Supported
GL_AMD_shader_atomic_counter_ops  Not Supported
GL_AMD_shader_stencil_export  Not Supported
GL_AMD_shader_stencil_value_export  Not Supported
GL_AMD_shader_trace  Not Supported
GL_AMD_shader_trinary_minmax  Not Supported
GL_AMD_sparse_texture  Not Supported
GL_AMD_sparse_texture_pool  Not Supported
GL_AMD_stencil_operation_extended  Not Supported
GL_AMD_texture_compression_dxt6  Not Supported
GL_AMD_texture_compression_dxt7  Not Supported
GL_AMD_texture_cube_map_array  Not Supported
GL_AMD_texture_texture4  Not Supported
GL_AMD_texture_tile_pool  Not Supported
GL_AMD_transform_feedback3_lines_triangles  Not Supported
GL_AMD_transform_feedback4  Not Supported
GL_AMD_vertex_shader_layer  Supported
GL_AMD_vertex_shader_tessellator  Not Supported
GL_AMD_vertex_shader_viewport_index  Supported
GL_AMDX_debug_output  Not Supported
GL_AMDX_name_gen_delete  Not Supported
GL_AMDX_random_access_target  Not Supported
GL_AMDX_vertex_shader_tessellator  Not Supported
GL_ANDROID_extension_pack_es31a  Not Supported
GL_ANGLE_depth_texture  Not Supported
GL_ANGLE_framebuffer_blit  Not Supported
GL_ANGLE_framebuffer_multisample  Not Supported
GL_ANGLE_instanced_arrays  Not Supported
GL_ANGLE_pack_reverse_row_order  Not Supported
GL_ANGLE_program_binary  Not Supported
GL_ANGLE_texture_compression_dxt1  Not Supported
GL_ANGLE_texture_compression_dxt3  Not Supported
GL_ANGLE_texture_compression_dxt5  Not Supported
GL_ANGLE_texture_usage  Not Supported
GL_ANGLE_translated_shader_source  Not Supported
GL_APPLE_aux_depth_stencil  Not Supported
GL_APPLE_client_storage  Not Supported
GL_APPLE_copy_texture_levels  Not Supported
GL_APPLE_element_array  Not Supported
GL_APPLE_fence  Not Supported
GL_APPLE_float_pixels  Not Supported
GL_APPLE_flush_buffer_range  Not Supported
GL_APPLE_flush_render  Not Supported
GL_APPLE_framebuffer_multisample  Not Supported
GL_APPLE_object_purgeable  Not Supported
GL_APPLE_packed_pixel  Not Supported
GL_APPLE_packed_pixels  Not Supported
GL_APPLE_pixel_buffer  Not Supported
GL_APPLE_rgb_422  Not Supported
GL_APPLE_row_bytes  Not Supported
GL_APPLE_specular_vector  Not Supported
GL_APPLE_sync  Not Supported
GL_APPLE_texture_2D_limited_npot  Not Supported
GL_APPLE_texture_format_BGRA8888  Not Supported
GL_APPLE_texture_max_level  Not Supported
GL_APPLE_texture_range  Not Supported
GL_APPLE_transform_hint  Not Supported
GL_APPLE_vertex_array_object  Not Supported
GL_APPLE_vertex_array_range  Not Supported
GL_APPLE_vertex_point_size  Not Supported
GL_APPLE_vertex_program_evaluators  Not Supported
GL_APPLE_ycbcr_422  Not Supported
GL_ARB_arrays_of_arrays  Supported
GL_ARB_base_instance  Supported
GL_ARB_bindless_texture  Supported
GL_ARB_blend_func_extended  Supported
GL_ARB_buffer_storage  Supported
GL_ARB_cl_event  Supported
GL_ARB_clear_buffer_object  Supported
GL_ARB_clear_texture  Supported
GL_ARB_clip_control  Supported
GL_ARB_color_buffer_float  Supported
GL_ARB_compatibility  Supported
GL_ARB_compressed_texture_pixel_storage  Supported
GL_ARB_compute_shader  Supported
GL_ARB_compute_variable_group_size  Not Supported
GL_ARB_conditional_render_inverted  Supported
GL_ARB_conservative_depth  Supported
GL_ARB_context_flush_control  Not Supported
GL_ARB_copy_buffer  Supported
GL_ARB_copy_image  Supported
GL_ARB_cull_distance  Supported
GL_ARB_debug_group  Not Supported
GL_ARB_debug_label  Not Supported
GL_ARB_debug_output  Supported
GL_ARB_debug_output2  Not Supported
GL_ARB_depth_buffer_float  Supported
GL_ARB_depth_clamp  Supported
GL_ARB_depth_texture  Supported
GL_ARB_derivative_control  Supported
GL_ARB_direct_state_access  Supported
GL_ARB_draw_buffers  Supported
GL_ARB_draw_buffers_blend  Supported
GL_ARB_draw_elements_base_vertex  Supported
GL_ARB_draw_indirect  Supported
GL_ARB_draw_instanced  Supported
GL_ARB_enhanced_layouts  Supported
GL_ARB_ES2_compatibility  Supported
GL_ARB_ES3_1_compatibility  Supported
GL_ARB_ES3_2_compatibility  Not Supported
GL_ARB_ES3_compatibility  Supported
GL_ARB_explicit_attrib_location  Supported
GL_ARB_explicit_uniform_location  Supported
GL_ARB_fragment_coord_conventions  Supported
GL_ARB_fragment_layer_viewport  Supported
GL_ARB_fragment_program  Supported
GL_ARB_fragment_program_shadow  Supported
GL_ARB_fragment_shader  Supported
GL_ARB_fragment_shader_interlock  Supported
GL_ARB_framebuffer_no_attachments  Supported
GL_ARB_framebuffer_object  Supported
GL_ARB_framebuffer_sRGB  Supported
GL_ARB_geometry_shader4  Supported
GL_ARB_get_program_binary  Supported
GL_ARB_get_texture_sub_image  Supported
GL_ARB_gl_spirv  Supported
GL_ARB_gpu_shader_fp64  Supported
GL_ARB_gpu_shader_int64  Not Supported
GL_ARB_gpu_shader5  Supported
GL_ARB_half_float_pixel  Supported
GL_ARB_half_float_vertex  Supported
GL_ARB_imaging  Not Supported
GL_ARB_indirect_parameters  Supported
GL_ARB_instanced_arrays  Supported
GL_ARB_internalformat_query  Supported
GL_ARB_internalformat_query2  Supported
GL_ARB_invalidate_subdata  Supported
GL_ARB_make_current_read  Not Supported
GL_ARB_map_buffer_alignment  Supported
GL_ARB_map_buffer_range  Supported
GL_ARB_matrix_palette  Not Supported
GL_ARB_multi_bind  Supported
GL_ARB_multi_draw_indirect  Supported
GL_ARB_multisample  Supported
GL_ARB_multitexture  Supported
GL_ARB_occlusion_query  Supported
GL_ARB_occlusion_query2  Supported
GL_ARB_parallel_shader_compile  Not Supported
GL_ARB_pipeline_statistics_query  Supported
GL_ARB_pixel_buffer_object  Supported
GL_ARB_point_parameters  Supported
GL_ARB_point_sprite  Supported
GL_ARB_polygon_offset_clamp  Supported
GL_ARB_post_depth_coverage  Supported
GL_ARB_program_interface_query  Supported
GL_ARB_provoking_vertex  Supported
GL_ARB_query_buffer_object  Supported
GL_ARB_robust_buffer_access_behavior  Supported
GL_ARB_robustness  Supported
GL_ARB_robustness_isolation  Supported
GL_ARB_sample_locations  Not Supported
GL_ARB_sample_shading  Supported
GL_ARB_sampler_objects  Supported
GL_ARB_seamless_cube_map  Supported
GL_ARB_seamless_cubemap_per_texture  Supported
GL_ARB_separate_shader_objects  Supported
GL_ARB_shader_atomic_counter_ops  Supported
GL_ARB_shader_atomic_counters  Supported
GL_ARB_shader_ballot  Not Supported
GL_ARB_shader_bit_encoding  Supported
GL_ARB_shader_clock  Not Supported
GL_ARB_shader_draw_parameters  Supported
GL_ARB_shader_group_vote  Supported
GL_ARB_shader_image_load_store  Supported
GL_ARB_shader_image_size  Supported
GL_ARB_shader_objects  Supported
GL_ARB_shader_precision  Supported
GL_ARB_shader_stencil_export  Supported
GL_ARB_shader_storage_buffer_object  Supported
GL_ARB_shader_subroutine  Supported
GL_ARB_shader_texture_image_samples  Supported
GL_ARB_shader_texture_lod  Not Supported
GL_ARB_shader_viewport_layer_array  Not Supported
GL_ARB_shading_language_100  Supported
GL_ARB_shading_language_120  Not Supported
GL_ARB_shading_language_420pack  Supported
GL_ARB_shading_language_include  Not Supported
GL_ARB_shading_language_packing  Supported
GL_ARB_shadow  Supported
GL_ARB_shadow_ambient  Not Supported
GL_ARB_sparse_buffer  Not Supported
GL_ARB_sparse_texture  Not Supported
GL_ARB_sparse_texture_clamp  Not Supported
GL_ARB_sparse_texture2  Not Supported
GL_ARB_spirv_extensions  Supported
GL_ARB_stencil_texturing  Supported
GL_ARB_swap_buffers  Not Supported
GL_ARB_sync  Supported
GL_ARB_tessellation_shader  Supported
GL_ARB_texture_barrier  Supported
GL_ARB_texture_border_clamp  Supported
GL_ARB_texture_buffer_object  Supported
GL_ARB_texture_buffer_object_rgb32  Supported
GL_ARB_texture_buffer_range  Supported
GL_ARB_texture_compression  Supported
GL_ARB_texture_compression_bptc  Supported
GL_ARB_texture_compression_rgtc  Supported
GL_ARB_texture_compression_rtgc  Not Supported
GL_ARB_texture_cube_map  Supported
GL_ARB_texture_cube_map_array  Supported
GL_ARB_texture_env_add  Supported
GL_ARB_texture_env_combine  Supported
GL_ARB_texture_env_crossbar  Supported
GL_ARB_texture_env_dot3  Supported
GL_ARB_texture_filter_anisotropic  Supported
GL_ARB_texture_filter_minmax  Not Supported
GL_ARB_texture_float  Supported
GL_ARB_texture_gather  Supported
GL_ARB_texture_mirror_clamp_to_edge  Supported
GL_ARB_texture_mirrored_repeat  Supported
GL_ARB_texture_multisample  Supported
GL_ARB_texture_non_power_of_two  Supported
GL_ARB_texture_query_levels  Supported
GL_ARB_texture_query_lod  Supported
GL_ARB_texture_rectangle  Supported
GL_ARB_texture_rg  Supported
GL_ARB_texture_rgb10_a2ui  Supported
GL_ARB_texture_snorm  Not Supported
GL_ARB_texture_stencil8  Supported
GL_ARB_texture_storage  Supported
GL_ARB_texture_storage_multisample  Supported
GL_ARB_texture_swizzle  Supported
GL_ARB_texture_view  Supported
GL_ARB_timer_query  Supported
GL_ARB_transform_feedback_instanced  Supported
GL_ARB_transform_feedback_overflow_query  Supported
GL_ARB_transform_feedback2  Supported
GL_ARB_transform_feedback3  Supported
GL_ARB_transpose_matrix  Supported
GL_ARB_uber_buffers  Not Supported
GL_ARB_uber_mem_image  Not Supported
GL_ARB_uber_vertex_array  Not Supported
GL_ARB_uniform_buffer_object  Supported
GL_ARB_vertex_array_bgra  Supported
GL_ARB_vertex_array_object  Supported
GL_ARB_vertex_attrib_64bit  Supported
GL_ARB_vertex_attrib_binding  Supported
GL_ARB_vertex_blend  Not Supported
GL_ARB_vertex_buffer_object  Supported
GL_ARB_vertex_program  Supported
GL_ARB_vertex_shader  Supported
GL_ARB_vertex_type_10f_11f_11f_rev  Supported
GL_ARB_vertex_type_2_10_10_10_rev  Supported
GL_ARB_viewport_array  Supported
GL_ARB_window_pos  Supported
GL_ARM_mali_program_binary  Not Supported
GL_ARM_mali_shader_binary  Not Supported
GL_ARM_rgba8  Not Supported
GL_ARM_shader_framebuffer_fetch  Not Supported
GL_ARM_shader_framebuffer_fetch_depth_stencil  Not Supported
GL_ATI_array_rev_comps_in_4_bytes  Not Supported
GL_ATI_blend_equation_separate  Not Supported
GL_ATI_blend_weighted_minmax  Not Supported
GL_ATI_draw_buffers  Not Supported
GL_ATI_element_array  Not Supported
GL_ATI_envmap_bumpmap  Not Supported
GL_ATI_fragment_shader  Not Supported
GL_ATI_lock_texture  Not Supported
GL_ATI_map_object_buffer  Not Supported
GL_ATI_meminfo  Not Supported
GL_ATI_pixel_format_float  Not Supported
GL_ATI_pn_triangles  Not Supported
GL_ATI_point_cull_mode  Not Supported
GL_ATI_separate_stencil  Supported
GL_ATI_shader_texture_lod  Not Supported
GL_ATI_text_fragment_shader  Not Supported
GL_ATI_texture_compression_3dc  Not Supported
GL_ATI_texture_env_combine3  Not Supported
GL_ATI_texture_float  Not Supported
GL_ATI_texture_mirror_once  Not Supported
GL_ATI_vertex_array_object  Not Supported
GL_ATI_vertex_attrib_array_object  Not Supported
GL_ATI_vertex_blend  Not Supported
GL_ATI_vertex_shader  Not Supported
GL_ATI_vertex_streams  Not Supported
GL_ATIX_pn_triangles  Not Supported
GL_ATIX_texture_env_combine3  Not Supported
GL_ATIX_texture_env_route  Not Supported
GL_ATIX_vertex_shader_output_point_size  Not Supported
GL_Autodesk_facet_normal  Not Supported
GL_Autodesk_valid_back_buffer_hint  Not Supported
GL_CR_bounding_box  Not Supported
GL_CR_cursor_position  Not Supported
GL_CR_head_spu_name  Not Supported
GL_CR_performance_info  Not Supported
GL_CR_print_string  Not Supported
GL_CR_readback_barrier_size  Not Supported
GL_CR_saveframe  Not Supported
GL_CR_server_id_sharing  Not Supported
GL_CR_server_matrix  Not Supported
GL_CR_state_parameter  Not Supported
GL_CR_synchronization  Not Supported
GL_CR_tile_info  Not Supported
GL_CR_tilesort_info  Not Supported
GL_CR_window_size  Not Supported
GL_DIMD_YUV  Not Supported
GL_DMP_shader_binary  Not Supported
GL_EXT_422_pixels  Not Supported
GL_EXT_abgr  Supported
GL_EXT_bgra  Supported
GL_EXT_bindable_uniform  Not Supported
GL_EXT_blend_color  Supported
GL_EXT_blend_equation_separate  Supported
GL_EXT_blend_func_separate  Supported
GL_EXT_blend_logic_op  Not Supported
GL_EXT_blend_minmax  Supported
GL_EXT_blend_subtract  Supported
GL_EXT_Cg_shader  Not Supported
GL_EXT_clip_control  Not Supported
GL_EXT_clip_volume_hint  Supported
GL_EXT_cmyka  Not Supported
GL_EXT_color_buffer_float  Not Supported
GL_EXT_color_buffer_half_float  Not Supported
GL_EXT_color_matrix  Not Supported
GL_EXT_color_subtable  Not Supported
GL_EXT_color_table  Not Supported
GL_EXT_compiled_vertex_array  Supported
GL_EXT_convolution  Not Supported
GL_EXT_convolution_border_modes  Not Supported
GL_EXT_coordinate_frame  Not Supported
GL_EXT_copy_buffer  Not Supported
GL_EXT_copy_image  Not Supported
GL_EXT_copy_texture  Not Supported
GL_EXT_cull_vertex  Not Supported
GL_EXT_debug_label  Not Supported
GL_EXT_debug_marker  Not Supported
GL_EXT_depth_bounds_test  Not Supported
GL_EXT_depth_buffer_float  Not Supported
GL_EXT_direct_state_access  Supported
GL_EXT_discard_framebuffer  Not Supported
GL_EXT_disjoint_timer_query  Not Supported
GL_EXT_draw_buffers  Not Supported
GL_EXT_draw_buffers_indexed  Not Supported
GL_EXT_draw_buffers2  Supported
GL_EXT_draw_indirect  Not Supported
GL_EXT_draw_instanced  Not Supported
GL_EXT_draw_range_elements  Supported
GL_EXT_fog_coord  Supported
GL_EXT_fog_function  Not Supported
GL_EXT_fog_offset  Not Supported
GL_EXT_frag_depth  Not Supported
GL_EXT_fragment_lighting  Not Supported
GL_EXT_framebuffer_blit  Supported
GL_EXT_framebuffer_multisample  Supported
GL_EXT_framebuffer_multisample_blit_scaled  Not Supported
GL_EXT_framebuffer_object  Supported
GL_EXT_framebuffer_sRGB  Not Supported
GL_EXT_generate_mipmap  Not Supported
GL_EXT_geometry_point_size  Not Supported
GL_EXT_geometry_shader  Not Supported
GL_EXT_geometry_shader4  Supported
GL_EXT_glx_stereo_tree  Not Supported
GL_EXT_gpu_program_parameters  Supported
GL_EXT_gpu_shader_fp64  Not Supported
GL_EXT_gpu_shader4  Supported
GL_EXT_gpu_shader5  Not Supported
GL_EXT_histogram  Not Supported
GL_EXT_import_sync_object  Not Supported
GL_EXT_index_array_formats  Not Supported
GL_EXT_index_func  Not Supported
GL_EXT_index_material  Not Supported
GL_EXT_index_texture  Not Supported
GL_EXT_instanced_arrays  Not Supported
GL_EXT_interlace  Not Supported
GL_EXT_light_texture  Not Supported
GL_EXT_map_buffer_range  Not Supported
GL_EXT_memory_object  Not Supported
GL_EXT_memory_object_win32  Not Supported
GL_EXT_misc_attribute  Not Supported
GL_EXT_multi_draw_arrays  Supported
GL_EXT_multisample  Not Supported
GL_EXT_multisampled_render_to_texture  Not Supported
GL_EXT_multiview_draw_buffers  Not Supported
GL_EXT_occlusion_query_boolean  Not Supported
GL_EXT_packed_depth_stencil  Supported
GL_EXT_packed_float  Supported
GL_EXT_packed_pixels  Supported
GL_EXT_packed_pixels_12  Not Supported
GL_EXT_paletted_texture  Not Supported
GL_EXT_pixel_buffer_object  Not Supported
GL_EXT_pixel_format  Not Supported
GL_EXT_pixel_texture  Not Supported
GL_EXT_pixel_transform  Not Supported
GL_EXT_pixel_transform_color_table  Not Supported
GL_EXT_point_parameters  Not Supported
GL_EXT_polygon_offset  Not Supported
GL_EXT_polygon_offset_clamp  Supported
GL_EXT_post_depth_coverage  Not Supported
GL_EXT_primitive_bounding_box  Not Supported
GL_EXT_provoking_vertex  Not Supported
GL_EXT_pvrtc_sRGB  Not Supported
GL_EXT_raster_multisample  Not Supported
GL_EXT_read_format_bgra  Not Supported
GL_EXT_rescale_normal  Supported
GL_EXT_robustness  Not Supported
GL_EXT_scene_marker  Not Supported
GL_EXT_secondary_color  Supported
GL_EXT_semaphore  Not Supported
GL_EXT_semaphore_win32  Not Supported
GL_EXT_separate_shader_objects  Not Supported
GL_EXT_separate_specular_color  Supported
GL_EXT_shader_atomic_counters  Not Supported
GL_EXT_shader_framebuffer_fetch  Supported
GL_EXT_shader_image_load_formatted  Not Supported
GL_EXT_shader_image_load_store  Not Supported
GL_EXT_shader_implicit_conversions  Not Supported
GL_EXT_shader_integer_mix  Supported
GL_EXT_shader_io_blocks  Not Supported
GL_EXT_shader_pixel_local_storage  Not Supported
GL_EXT_shader_subroutine  Not Supported
GL_EXT_shader_texture_lod  Not Supported
GL_EXT_shadow_funcs  Supported
GL_EXT_shadow_samplers  Not Supported
GL_EXT_shared_texture_palette  Not Supported
GL_EXT_sparse_texture2  Not Supported
GL_EXT_sRGB  Not Supported
GL_EXT_sRGB_write_control  Not Supported
GL_EXT_static_vertex_array  Not Supported
GL_EXT_stencil_clear_tag  Not Supported
GL_EXT_stencil_two_side  Supported
GL_EXT_stencil_wrap  Supported
GL_EXT_subtexture  Not Supported
GL_EXT_swap_control  Not Supported
GL_EXT_tessellation_point_size  Not Supported
GL_EXT_tessellation_shader  Not Supported
GL_EXT_texgen_reflection  Not Supported
GL_EXT_texture  Not Supported
GL_EXT_texture_array  Supported
GL_EXT_texture_border_clamp  Not Supported
GL_EXT_texture_buffer  Not Supported
GL_EXT_texture_buffer_object  Not Supported
GL_EXT_texture_buffer_object_rgb32  Not Supported
GL_EXT_texture_color_table  Not Supported
GL_EXT_texture_compression_bptc  Not Supported
GL_EXT_texture_compression_dxt1  Not Supported
GL_EXT_texture_compression_latc  Not Supported
GL_EXT_texture_compression_rgtc  Not Supported
GL_EXT_texture_compression_s3tc  Supported
GL_EXT_texture_cube_map  Not Supported
GL_EXT_texture_cube_map_array  Not Supported
GL_EXT_texture_edge_clamp  Supported
GL_EXT_texture_env  Not Supported
GL_EXT_texture_env_add  Supported
GL_EXT_texture_env_combine  Supported
GL_EXT_texture_env_dot3  Not Supported
GL_EXT_texture_filter_anisotropic  Supported
GL_EXT_texture_filter_minmax  Not Supported
GL_EXT_texture_format_BGRA8888  Not Supported
GL_EXT_texture_integer  Supported
GL_EXT_texture_lod  Not Supported
GL_EXT_texture_lod_bias  Supported
GL_EXT_texture_mirror_clamp  Not Supported
GL_EXT_texture_object  Not Supported
GL_EXT_texture_perturb_normal  Not Supported
GL_EXT_texture_rectangle  Supported
GL_EXT_texture_rg  Not Supported
GL_EXT_texture_shared_exponent  Supported
GL_EXT_texture_snorm  Supported
GL_EXT_texture_sRGB  Supported
GL_EXT_texture_sRGB_decode  Supported
GL_EXT_texture_sRGB_R8  Not Supported
GL_EXT_texture_storage  Supported
GL_EXT_texture_swizzle  Supported
GL_EXT_texture_type_2_10_10_10_REV  Not Supported
GL_EXT_texture_view  Not Supported
GL_EXT_texture3D  Supported
GL_EXT_texture4D  Not Supported
GL_EXT_timer_query  Supported
GL_EXT_transform_feedback  Supported
GL_EXT_transform_feedback2  Not Supported
GL_EXT_transform_feedback3  Not Supported
GL_EXT_unpack_subimage  Not Supported
GL_EXT_vertex_array  Not Supported
GL_EXT_vertex_array_bgra  Not Supported
GL_EXT_vertex_array_set  Not Supported
GL_EXT_vertex_array_setXXX  Not Supported
GL_EXT_vertex_attrib_64bit  Not Supported
GL_EXT_vertex_shader  Not Supported
GL_EXT_vertex_weighting  Not Supported
GL_EXT_win32_keyed_mutex  Not Supported
GL_EXT_window_rectangles  Not Supported
GL_EXT_x11_sync_object  Not Supported
GL_EXTX_framebuffer_mixed_formats  Not Supported
GL_EXTX_packed_depth_stencil  Not Supported
GL_FGL_lock_texture  Not Supported
GL_FJ_shader_binary_GCCSO  Not Supported
GL_GL2_geometry_shader  Not Supported
GL_GREMEDY_frame_terminator  Not Supported
GL_GREMEDY_string_marker  Not Supported
GL_HP_convolution_border_modes  Not Supported
GL_HP_image_transform  Not Supported
GL_HP_occlusion_test  Not Supported
GL_HP_texture_lighting  Not Supported
GL_I3D_argb  Not Supported
GL_I3D_color_clamp  Not Supported
GL_I3D_interlace_read  Not Supported
GL_IBM_clip_check  Not Supported
GL_IBM_cull_vertex  Not Supported
GL_IBM_load_named_matrix  Not Supported
GL_IBM_multi_draw_arrays  Not Supported
GL_IBM_multimode_draw_arrays  Not Supported
GL_IBM_occlusion_cull  Not Supported
GL_IBM_pixel_filter_hint  Not Supported
GL_IBM_rasterpos_clip  Not Supported
GL_IBM_rescale_normal  Not Supported
GL_IBM_static_data  Not Supported
GL_IBM_texture_clamp_nodraw  Not Supported
GL_IBM_texture_mirrored_repeat  Supported
GL_IBM_vertex_array_lists  Not Supported
GL_IBM_YCbCr  Not Supported
GL_IMG_multisampled_render_to_texture  Not Supported
GL_IMG_program_binary  Not Supported
GL_IMG_read_format  Not Supported
GL_IMG_sgx_binary  Not Supported
GL_IMG_shader_binary  Not Supported
GL_IMG_texture_compression_pvrtc  Not Supported
GL_IMG_texture_compression_pvrtc2  Not Supported
GL_IMG_texture_env_enhanced_fixed_function  Not Supported
GL_IMG_texture_format_BGRA8888  Not Supported
GL_IMG_user_clip_plane  Not Supported
GL_IMG_vertex_program  Not Supported
GL_INGR_blend_func_separate  Not Supported
GL_INGR_color_clamp  Not Supported
GL_INGR_interlace_read  Not Supported
GL_INGR_multiple_palette  Not Supported
GL_INTEL_coarse_fragment_shader  Supported
GL_INTEL_compute_shader_lane_shift  Not Supported
GL_INTEL_conservative_rasterization  Supported
GL_INTEL_fragment_shader_ordering  Supported
GL_INTEL_fragment_shader_span_sharing  Not Supported
GL_INTEL_framebuffer_CMAA  Supported
GL_INTEL_image_serialize  Not Supported
GL_INTEL_map_texture  Supported
GL_INTEL_multi_rate_fragment_shader  Supported
GL_INTEL_parallel_arrays  Not Supported
GL_INTEL_performance_queries  Not Supported
GL_INTEL_performance_query  Supported
GL_INTEL_texture_scissor  Not Supported
GL_KHR_blend_equation_advanced  Supported
GL_KHR_blend_equation_advanced_coherent  Supported
GL_KHR_context_flush_control  Supported
GL_KHR_debug  Supported
GL_KHR_no_error  Supported
GL_KHR_parallel_shader_compile  Not Supported
GL_KHR_robust_buffer_access_behavior  Not Supported
GL_KHR_robustness  Not Supported
GL_KHR_texture_compression_astc_hdr  Not Supported
GL_KHR_texture_compression_astc_ldr  Supported
GL_KHR_vulkan_glsl  Not Supported
GL_KTX_buffer_region  Not Supported
GL_MESA_pack_invert  Not Supported
GL_MESA_program_debug  Not Supported
GL_MESA_resize_buffers  Not Supported
GL_MESA_texture_array  Not Supported
GL_MESA_texture_signed_rgba  Not Supported
GL_MESA_window_pos  Not Supported
GL_MESA_ycbcr_texture  Not Supported
GL_MESAX_texture_float  Not Supported
GL_MESAX_texture_stack  Not Supported
GL_MTX_fragment_shader  Not Supported
GL_MTX_precision_dpi  Not Supported
GL_NV_3dvision_settings  Not Supported
GL_NV_alpha_test  Not Supported
GL_NV_alpha_to_coverage_dither_control  Not Supported
GL_NV_bgr  Not Supported
GL_NV_bindless_multi_draw_indirect  Not Supported
GL_NV_bindless_multi_draw_indirect_count  Not Supported
GL_NV_bindless_texture  Not Supported
GL_NV_blend_equation_advanced  Not Supported
GL_NV_blend_equation_advanced_coherent  Not Supported
GL_NV_blend_minmax  Not Supported
GL_NV_blend_minmax_factor  Not Supported
GL_NV_blend_square  Supported
GL_NV_centroid_sample  Not Supported
GL_NV_clip_space_w_scaling  Not Supported
GL_NV_command_list  Not Supported
GL_NV_complex_primitives  Not Supported
GL_NV_compute_program5  Not Supported
GL_NV_compute_shader_derivatives  Not Supported
GL_NV_conditional_render  Supported
GL_NV_conservative_raster  Not Supported
GL_NV_conservative_raster_dilate  Not Supported
GL_NV_conservative_raster_pre_snap  Not Supported
GL_NV_conservative_raster_pre_snap_triangles  Not Supported
GL_NV_conservative_raster_underestimation  Not Supported
GL_NV_copy_buffer  Not Supported
GL_NV_copy_depth_to_color  Not Supported
GL_NV_copy_image  Not Supported
GL_NV_coverage_sample  Not Supported
GL_NV_deep_texture3D  Not Supported
GL_NV_depth_buffer_float  Not Supported
GL_NV_depth_clamp  Not Supported
GL_NV_depth_nonlinear  Not Supported
GL_NV_depth_range_unclamped  Not Supported
GL_NV_draw_buffers  Not Supported
GL_NV_draw_instanced  Not Supported
GL_NV_draw_texture  Not Supported
GL_NV_draw_vulkan_image  Not Supported
GL_NV_EGL_stream_consumer_external  Not Supported
GL_NV_ES1_1_compatibility  Not Supported
GL_NV_ES3_1_compatibility  Not Supported
GL_NV_evaluators  Not Supported
GL_NV_explicit_attrib_location  Not Supported
GL_NV_explicit_multisample  Not Supported
GL_NV_fbo_color_attachments  Not Supported
GL_NV_feature_query  Not Supported
GL_NV_fence  Not Supported
GL_NV_fill_rectangle  Not Supported
GL_NV_float_buffer  Not Supported
GL_NV_fog_distance  Not Supported
GL_NV_fragdepth  Not Supported
GL_NV_fragment_coverage_to_color  Not Supported
GL_NV_fragment_program  Not Supported
GL_NV_fragment_program_option  Not Supported
GL_NV_fragment_program2  Not Supported
GL_NV_fragment_program4  Not Supported
GL_NV_fragment_shader_barycentric  Not Supported
GL_NV_fragment_shader_interlock  Not Supported
GL_NV_framebuffer_blit  Not Supported
GL_NV_framebuffer_mixed_samples  Not Supported
GL_NV_framebuffer_multisample  Not Supported
GL_NV_framebuffer_multisample_coverage  Not Supported
GL_NV_framebuffer_multisample_ex  Not Supported
GL_NV_generate_mipmap_sRGB  Not Supported
GL_NV_geometry_program4  Not Supported
GL_NV_geometry_shader_passthrough  Not Supported
GL_NV_geometry_shader4  Not Supported
GL_NV_gpu_program_fp64  Not Supported
GL_NV_gpu_program4  Not Supported
GL_NV_gpu_program4_1  Not Supported
GL_NV_gpu_program5  Not Supported
GL_NV_gpu_program5_mem_extended  Not Supported
GL_NV_gpu_shader5  Not Supported
GL_NV_half_float  Not Supported
GL_NV_instanced_arrays  Not Supported
GL_NV_internalformat_sample_query  Not Supported
GL_NV_light_max_exponent  Not Supported
GL_NV_memory_attachment  Not Supported
GL_NV_mesh_shader  Not Supported
GL_NV_multisample_coverage  Not Supported
GL_NV_multisample_filter_hint  Not Supported
GL_NV_non_square_matrices  Not Supported
GL_NV_occlusion_query  Not Supported
GL_NV_pack_subimage  Not Supported
GL_NV_packed_depth_stencil  Not Supported
GL_NV_packed_float  Not Supported
GL_NV_packed_float_linear  Not Supported
GL_NV_parameter_buffer_object  Not Supported
GL_NV_parameter_buffer_object2  Not Supported
GL_NV_path_rendering  Not Supported
GL_NV_path_rendering_shared_edge  Not Supported
GL_NV_pixel_buffer_object  Not Supported
GL_NV_pixel_data_range  Not Supported
GL_NV_platform_binary  Not Supported
GL_NV_point_sprite  Not Supported
GL_NV_present_video  Not Supported
GL_NV_primitive_restart  Supported
GL_NV_query_resource  Not Supported
GL_NV_query_resource_tag  Not Supported
GL_NV_read_buffer  Not Supported
GL_NV_read_buffer_front  Not Supported
GL_NV_read_depth  Not Supported
GL_NV_read_depth_stencil  Not Supported
GL_NV_read_stencil  Not Supported
GL_NV_register_combiners  Not Supported
GL_NV_register_combiners2  Not Supported
GL_NV_representative_fragment_test  Not Supported
GL_NV_robustness_video_memory_purge  Not Supported
GL_NV_sample_locations  Not Supported
GL_NV_sample_mask_override_coverage  Not Supported
GL_NV_scissor_exclusive  Not Supported
GL_NV_shader_atomic_counters  Not Supported
GL_NV_shader_atomic_float  Not Supported
GL_NV_shader_atomic_float64  Not Supported
GL_NV_shader_atomic_fp16_vector  Not Supported
GL_NV_shader_atomic_int64  Not Supported
GL_NV_shader_buffer_load  Not Supported
GL_NV_shader_buffer_store  Not Supported
GL_NV_shader_storage_buffer_object  Not Supported
GL_NV_shader_texture_footprint  Not Supported
GL_NV_shader_thread_group  Not Supported
GL_NV_shader_thread_shuffle  Not Supported
GL_NV_shading_rate_image  Not Supported
GL_NV_shadow_samplers_array  Not Supported
GL_NV_shadow_samplers_cube  Not Supported
GL_NV_sRGB_formats  Not Supported
GL_NV_stereo_view_rendering  Not Supported
GL_NV_tessellation_program5  Not Supported
GL_NV_texgen_emboss  Not Supported
GL_NV_texgen_reflection  Supported
GL_NV_texture_array  Not Supported
GL_NV_texture_barrier  Not Supported
GL_NV_texture_border_clamp  Not Supported
GL_NV_texture_compression_latc  Not Supported
GL_NV_texture_compression_s3tc  Not Supported
GL_NV_texture_compression_s3tc_update  Not Supported
GL_NV_texture_compression_vtc  Not Supported
GL_NV_texture_env_combine4  Not Supported
GL_NV_texture_expand_normal  Not Supported
GL_NV_texture_lod_clamp  Not Supported
GL_NV_texture_multisample  Not Supported
GL_NV_texture_npot_2D_mipmap  Not Supported
GL_NV_texture_rectangle  Not Supported
GL_NV_texture_rectangle_compressed  Not Supported
GL_NV_texture_shader  Not Supported
GL_NV_texture_shader2  Not Supported
GL_NV_texture_shader3  Not Supported
GL_NV_timer_query  Not Supported
GL_NV_transform_feedback  Not Supported
GL_NV_transform_feedback2  Not Supported
GL_NV_uniform_buffer_unified_memory  Not Supported
GL_NV_vdpau_interop  Not Supported
GL_NV_vertex_array_range  Not Supported
GL_NV_vertex_array_range2  Not Supported
GL_NV_vertex_attrib_64bit  Not Supported
GL_NV_vertex_attrib_integer_64bit  Not Supported
GL_NV_vertex_buffer_unified_memory  Not Supported
GL_NV_vertex_program  Not Supported
GL_NV_vertex_program1_1  Not Supported
GL_NV_vertex_program2  Not Supported
GL_NV_vertex_program2_option  Not Supported
GL_NV_vertex_program3  Not Supported
GL_NV_vertex_program4  Not Supported
GL_NV_video_capture  Not Supported
GL_NV_viewport_array2  Not Supported
GL_NV_viewport_swizzle  Not Supported
GL_NVX_blend_equation_advanced_multi_draw_buffers  Not Supported
GL_NVX_conditional_render  Not Supported
GL_NVX_flush_hold  Not Supported
GL_NVX_gpu_memory_info  Not Supported
GL_NVX_instanced_arrays  Not Supported
GL_NVX_multigpu_info  Not Supported
GL_NVX_nvenc_interop  Not Supported
GL_NVX_shader_thread_group  Not Supported
GL_NVX_shader_thread_shuffle  Not Supported
GL_NVX_shared_sync_object  Not Supported
GL_NVX_sysmem_buffer  Not Supported
GL_NVX_ycrcb  Not Supported
GL_OES_blend_equation_separate  Not Supported
GL_OES_blend_func_separate  Not Supported
GL_OES_blend_subtract  Not Supported
GL_OES_byte_coordinates  Not Supported
GL_OES_compressed_EAC_R11_signed_texture  Not Supported
GL_OES_compressed_EAC_R11_unsigned_texture  Not Supported
GL_OES_compressed_EAC_RG11_signed_texture  Not Supported
GL_OES_compressed_EAC_RG11_unsigned_texture  Not Supported
GL_OES_compressed_ETC1_RGB8_texture  Not Supported
GL_OES_compressed_ETC2_punchthroughA_RGBA8_texture  Not Supported
GL_OES_compressed_ETC2_punchthroughA_sRGB8_alpha_texture  Not Supported
GL_OES_compressed_ETC2_RGB8_texture  Not Supported
GL_OES_compressed_ETC2_RGBA8_texture  Not Supported
GL_OES_compressed_ETC2_sRGB8_alpha8_texture  Not Supported
GL_OES_compressed_ETC2_sRGB8_texture  Not Supported
GL_OES_compressed_paletted_texture  Not Supported
GL_OES_conditional_query  Not Supported
GL_OES_depth_texture  Not Supported
GL_OES_depth_texture_cube_map  Not Supported
GL_OES_depth24  Not Supported
GL_OES_depth32  Not Supported
GL_OES_draw_texture  Not Supported
GL_OES_EGL_image  Not Supported
GL_OES_EGL_image_external  Not Supported
GL_OES_EGL_sync  Not Supported
GL_OES_element_index_uint  Not Supported
GL_OES_extended_matrix_palette  Not Supported
GL_OES_fbo_render_mipmap  Not Supported
GL_OES_fixed_point  Not Supported
GL_OES_fragment_precision_high  Not Supported
GL_OES_framebuffer_object  Not Supported
GL_OES_get_program_binary  Not Supported
GL_OES_mapbuffer  Not Supported
GL_OES_matrix_get  Not Supported
GL_OES_matrix_palette  Not Supported
GL_OES_packed_depth_stencil  Not Supported
GL_OES_point_size_array  Not Supported
GL_OES_point_sprite  Not Supported
GL_OES_query_matrix  Not Supported
GL_OES_read_format  Not Supported
GL_OES_required_internalformat  Not Supported
GL_OES_rgb8_rgba8  Not Supported
GL_OES_sample_shading  Not Supported
GL_OES_sample_variables  Not Supported
GL_OES_shader_image_atomic  Not Supported
GL_OES_shader_multisample_interpolation  Not Supported
GL_OES_single_precision  Not Supported
GL_OES_standard_derivatives  Not Supported
GL_OES_stencil_wrap  Not Supported
GL_OES_stencil1  Not Supported
GL_OES_stencil4  Not Supported
GL_OES_stencil8  Not Supported
GL_OES_surfaceless_context  Not Supported
GL_OES_texture_3D  Not Supported
GL_OES_texture_compression_astc  Not Supported
GL_OES_texture_cube_map  Not Supported
GL_OES_texture_env_crossbar  Not Supported
GL_OES_texture_float  Not Supported
GL_OES_texture_float_linear  Not Supported
GL_OES_texture_half_float  Not Supported
GL_OES_texture_half_float_linear  Not Supported
GL_OES_texture_mirrored_repeat  Not Supported
GL_OES_texture_npot  Not Supported
GL_OES_texture_stencil8  Not Supported
GL_OES_texture_storage_multisample_2d_array  Not Supported
GL_OES_vertex_array_object  Not Supported
GL_OES_vertex_half_float  Not Supported
GL_OES_vertex_type_10_10_10_2  Not Supported
GL_OML_interlace  Not Supported
GL_OML_resample  Not Supported
GL_OML_subsample  Not Supported
GL_OVR_multiview  Not Supported
GL_OVR_multiview2  Not Supported
GL_PGI_misc_hints  Not Supported
GL_PGI_vertex_hints  Not Supported
GL_QCOM_alpha_test  Not Supported
GL_QCOM_binning_control  Not Supported
GL_QCOM_driver_control  Not Supported
GL_QCOM_extended_get  Not Supported
GL_QCOM_extended_get2  Not Supported
GL_QCOM_perfmon_global_mode  Not Supported
GL_QCOM_tiled_rendering  Not Supported
GL_QCOM_writeonly_rendering  Not Supported
GL_REND_screen_coordinates  Not Supported
GL_S3_performance_analyzer  Not Supported
GL_S3_s3tc  Not Supported
GL_S3_texture_float_linear  Not Supported
GL_S3_texture_half_float_linear  Not Supported
GL_SGI_color_matrix  Not Supported
GL_SGI_color_table  Not Supported
GL_SGI_compiled_vertex_array  Not Supported
GL_SGI_cull_vertex  Not Supported
GL_SGI_index_array_formats  Not Supported
GL_SGI_index_func  Not Supported
GL_SGI_index_material  Not Supported
GL_SGI_index_texture  Not Supported
GL_SGI_make_current_read  Not Supported
GL_SGI_texture_add_env  Not Supported
GL_SGI_texture_color_table  Not Supported
GL_SGI_texture_edge_clamp  Not Supported
GL_SGI_texture_lod  Not Supported
GL_SGIS_color_range  Not Supported
GL_SGIS_detail_texture  Not Supported
GL_SGIS_fog_function  Not Supported
GL_SGIS_generate_mipmap  Supported
GL_SGIS_multisample  Not Supported
GL_SGIS_multitexture  Not Supported
GL_SGIS_pixel_texture  Not Supported
GL_SGIS_point_line_texgen  Not Supported
GL_SGIS_sharpen_texture  Not Supported
GL_SGIS_texture_border_clamp  Not Supported
GL_SGIS_texture_color_mask  Not Supported
GL_SGIS_texture_edge_clamp  Supported
GL_SGIS_texture_filter4  Not Supported
GL_SGIS_texture_lod  Supported
GL_SGIS_texture_select  Not Supported
GL_SGIS_texture4D  Not Supported
GL_SGIX_async  Not Supported
GL_SGIX_async_histogram  Not Supported
GL_SGIX_async_pixel  Not Supported
GL_SGIX_blend_alpha_minmax  Not Supported
GL_SGIX_clipmap  Not Supported
GL_SGIX_convolution_accuracy  Not Supported
GL_SGIX_depth_pass_instrument  Not Supported
GL_SGIX_depth_texture  Not Supported
GL_SGIX_flush_raster  Not Supported
GL_SGIX_fog_offset  Not Supported
GL_SGIX_fog_texture  Not Supported
GL_SGIX_fragment_specular_lighting  Not Supported
GL_SGIX_framezoom  Not Supported
GL_SGIX_instruments  Not Supported
GL_SGIX_interlace  Not Supported
GL_SGIX_ir_instrument1  Not Supported
GL_SGIX_list_priority  Not Supported
GL_SGIX_pbuffer  Not Supported
GL_SGIX_pixel_texture  Not Supported
GL_SGIX_pixel_texture_bits  Not Supported
GL_SGIX_reference_plane  Not Supported
GL_SGIX_resample  Not Supported
GL_SGIX_shadow  Not Supported
GL_SGIX_shadow_ambient  Not Supported
GL_SGIX_sprite  Not Supported
GL_SGIX_subsample  Not Supported
GL_SGIX_tag_sample_buffer  Not Supported
GL_SGIX_texture_add_env  Not Supported
GL_SGIX_texture_coordinate_clamp  Not Supported
GL_SGIX_texture_lod_bias  Not Supported
GL_SGIX_texture_multi_buffer  Not Supported
GL_SGIX_texture_range  Not Supported
GL_SGIX_texture_scale_bias  Not Supported
GL_SGIX_vertex_preclip  Not Supported
GL_SGIX_vertex_preclip_hint  Not Supported
GL_SGIX_ycrcb  Not Supported
GL_SGIX_ycrcb_subsample  Not Supported
GL_SUN_convolution_border_modes  Not Supported
GL_SUN_global_alpha  Not Supported
GL_SUN_mesh_array  Not Supported
GL_SUN_multi_draw_arrays  Supported
GL_SUN_read_video_pixels  Not Supported
GL_SUN_slice_accum  Not Supported
GL_SUN_triangle_list  Not Supported
GL_SUN_vertex  Not Supported
GL_SUNX_constant_data  Not Supported
GL_VIV_shader_binary  Not Supported
GL_WGL_ARB_extensions_string  Not Supported
GL_WGL_EXT_extensions_string  Not Supported
GL_WGL_EXT_swap_control  Not Supported
GL_WIN_phong_shading  Not Supported
GL_WIN_specular_fog  Not Supported
GL_WIN_swap_hint  Supported
GLU_EXT_nurbs_tessellator  Not Supported
GLU_EXT_object_space_tess  Not Supported
GLU_SGI_filter4_parameters  Not Supported
GLX_AMD_gpu_association  Not Supported
GLX_ARB_create_context  Not Supported
GLX_ARB_create_context_no_error  Not Supported
GLX_ARB_create_context_profile  Not Supported
GLX_ARB_create_context_robustness  Not Supported
GLX_ARB_fbconfig_float  Not Supported
GLX_ARB_framebuffer_sRGB  Not Supported
GLX_ARB_get_proc_address  Not Supported
GLX_ARB_multisample  Not Supported
GLX_ARB_robustness_application_isolation  Not Supported
GLX_ARB_robustness_share_group_isolation  Not Supported
GLX_ARB_vertex_buffer_object  Not Supported
GLX_EXT_buffer_age  Not Supported
GLX_EXT_create_context_es_profile  Not Supported
GLX_EXT_create_context_es2_profile  Not Supported
GLX_EXT_fbconfig_packed_float  Not Supported
GLX_EXT_framebuffer_sRGB  Not Supported
GLX_EXT_import_context  Not Supported
GLX_EXT_scene_marker  Not Supported
GLX_EXT_swap_control  Not Supported
GLX_EXT_swap_control_tear  Not Supported
GLX_EXT_texture_from_pixmap  Not Supported
GLX_EXT_visual_info  Not Supported
GLX_EXT_visual_rating  Not Supported
GLX_INTEL_swap_event  Not Supported
GLX_MESA_agp_offset  Not Supported
GLX_MESA_copy_sub_buffer  Not Supported
GLX_MESA_multithread_makecurrent  Not Supported
GLX_MESA_pixmap_colormap  Not Supported
GLX_MESA_query_renderer  Not Supported
GLX_MESA_release_buffers  Not Supported
GLX_MESA_set_3dfx_mode  Not Supported
GLX_MESA_swap_control  Not Supported
GLX_NV_copy_image  Not Supported
GLX_NV_delay_before_swap  Not Supported
GLX_NV_float_buffer  Not Supported
GLX_NV_multisample_coverage  Not Supported
GLX_NV_present_video  Not Supported
GLX_NV_swap_group  Not Supported
GLX_NV_video_capture  Not Supported
GLX_NV_video_out  Not Supported
GLX_NV_video_output  Not Supported
GLX_OML_interlace  Not Supported
GLX_OML_swap_method  Not Supported
GLX_OML_sync_control  Not Supported
GLX_SGI_cushion  Not Supported
GLX_SGI_make_current_read  Not Supported
GLX_SGI_swap_control  Not Supported
GLX_SGI_video_sync  Not Supported
GLX_SGIS_blended_overlay  Not Supported
GLX_SGIS_color_range  Not Supported
GLX_SGIS_multisample  Not Supported
GLX_SGIX_dm_buffer  Not Supported
GLX_SGIX_fbconfig  Not Supported
GLX_SGIX_hyperpipe  Not Supported
GLX_SGIX_pbuffer  Not Supported
GLX_SGIX_swap_barrier  Not Supported
GLX_SGIX_swap_group  Not Supported
GLX_SGIX_video_resize  Not Supported
GLX_SGIX_video_source  Not Supported
GLX_SGIX_visual_select_group  Not Supported
GLX_SUN_get_transparent_index  Not Supported
GLX_SUN_video_resize  Not Supported
WGL_3DFX_gamma_control  Not Supported
WGL_3DFX_multisample  Not Supported
WGL_3DL_stereo_control  Not Supported
WGL_AMD_gpu_association  Not Supported
WGL_AMDX_gpu_association  Not Supported
WGL_ARB_buffer_region  Supported
WGL_ARB_context_flush_control  Supported
WGL_ARB_create_context  Supported
WGL_ARB_create_context_no_error  Not Supported
WGL_ARB_create_context_profile  Supported
WGL_ARB_create_context_robustness  Supported
WGL_ARB_extensions_string  Supported
WGL_ARB_framebuffer_sRGB  Supported
WGL_ARB_make_current_read  Supported
WGL_ARB_multisample  Supported
WGL_ARB_pbuffer  Supported
WGL_ARB_pixel_format  Supported
WGL_ARB_pixel_format_float  Supported
WGL_ARB_render_texture  Not Supported
WGL_ARB_robustness_application_isolation  Not Supported
WGL_ARB_robustness_share_group_isolation  Not Supported
WGL_ATI_pbuffer_memory_hint  Not Supported
WGL_ATI_pixel_format_float  Not Supported
WGL_ATI_render_texture_rectangle  Not Supported
WGL_EXT_buffer_region  Not Supported
WGL_EXT_colorspace  Not Supported
WGL_EXT_create_context_es_profile  Supported
WGL_EXT_create_context_es2_profile  Supported
WGL_EXT_depth_float  Supported
WGL_EXT_display_color_table  Not Supported
WGL_EXT_extensions_string  Supported
WGL_EXT_framebuffer_sRGB  Not Supported
WGL_EXT_framebuffer_sRGBWGL_ARB_create_context  Not Supported
WGL_EXT_gamma_control  Not Supported
WGL_EXT_make_current_read  Not Supported
WGL_EXT_multisample  Not Supported
WGL_EXT_pbuffer  Not Supported
WGL_EXT_pixel_format  Not Supported
WGL_EXT_pixel_format_packed_float  Supported
WGL_EXT_render_texture  Not Supported
WGL_EXT_swap_control  Supported
WGL_EXT_swap_control_tear  Not Supported
WGL_EXT_swap_interval  Not Supported
WGL_I3D_digital_video_control  Not Supported
WGL_I3D_gamma  Not Supported
WGL_I3D_genlock  Not Supported
WGL_I3D_image_buffer  Not Supported
WGL_I3D_swap_frame_lock  Not Supported
WGL_I3D_swap_frame_usage  Not Supported
WGL_INTEL_cl_sharing  Not Supported
WGL_MTX_video_preview  Not Supported
WGL_NV_bridged_display  Not Supported
WGL_NV_copy_image  Not Supported
WGL_NV_delay_before_swap  Not Supported
WGL_NV_DX_interop  Supported
WGL_NV_DX_interop2  Supported
WGL_NV_float_buffer  Not Supported
WGL_NV_gpu_affinity  Not Supported
WGL_NV_multisample_coverage  Not Supported
WGL_NV_present_video  Not Supported
WGL_NV_render_depth_texture  Not Supported
WGL_NV_render_texture_rectangle  Not Supported
WGL_NV_swap_group  Not Supported
WGL_NV_texture_rectangle  Not Supported
WGL_NV_vertex_array_range  Not Supported
WGL_NV_video_capture  Not Supported
WGL_NV_video_output  Not Supported
WGL_NVX_DX_interop  Not Supported
WGL_OML_sync_control  Not Supported
WGL_S3_cl_sharingWGL_ARB_create_context_profile  Not Supported
 
Supported Compressed Texture Formats:
RGB DXT1  Supported
RGBA DXT1  Supported
RGBA DXT3  Supported
RGBA DXT5  Supported
RGB FXT1  Supported
RGBA FXT1  Supported
3Dc  Not Supported
 
Video Adapter Manufacturer:
Company Name  Intel Corporation
Product Information  https://www.intel.com/products/chipsets
Driver Download  https://www.intel.com/support/graphics
Driver Update  http://www.aida64.com/goto/?p=drvupdates


GPGPU

 
[ Direct3D: Intel(R) Iris(R) Plus Graphics ]
 
Device Properties:
Device Name  Intel(R) Iris(R) Plus Graphics
PCI Device  8086-8A52 / 1854-0361 (Rev 07)
Dedicated Memory  128 MB
Driver Name  igdumdim32.dll
Driver Version  26.20.100.7463
Shader Model  SM 5.1
Max Threads  1024
Multiple UAV Access  64 UAVs
Thread Dispatch  3D
Thread Local Storage  32 KB
 
Device Features:
10-bit Precision Floating-Point  Not Supported
16-bit Precision Floating-Point  Supported
Append/Consume Buffers  Supported
Atomic Operations  Supported
Double-Precision Floating-Point  Not Supported
Gather4  Supported
Indirect Compute Dispatch  Supported
Map On Default Buffers  Supported
 
Device Manufacturer:
Company Name  Intel Corporation
Product Information  https://www.intel.com/products/chipsets
Driver Download  https://www.intel.com/support/graphics
Driver Update  http://www.aida64.com/goto/?p=drvupdates
 
[ OpenCL: Intel(R) Iris(R) Plus Graphics ]
 
OpenCL Properties:
Platform Name  Intel(R) OpenCL
Platform Vendor  Intel(R) Corporation
Platform Version  OpenCL 2.1
Platform Profile  Full
 
Device Properties:
Device Name  Intel(R) Iris(R) Plus Graphics
Device Type  GPU
Device Vendor  Intel(R) Corporation
Device Version  OpenCL 2.1 NEO
Device Profile  Full
Driver Version  26.20.100.7463
OpenCL C Version  OpenCL C 2.0
Supported Built-In Kernels  block_motion_estimate_intel; block_advanced_motion_estimate_check_intel; block_advanced_motion_estimate_bidirectional_check_intel;
Supported SPIR Versions  1.2
Supported IL Versions  SPIR-V_1.2
Clock Rate  1100 MHz
Compute Units / Cores  64 / 256
Address Space Size  32-bit
Max 2D Image Size  16384 x 16384
Max 3D Image Size  16384 x 16384 x 2048
Max Image Array Size  2048
Max Image Buffer Size  53687040
Max Samplers  16
Max Work-Item Size  256 x 256 x 256
Max Work-Group Size  256
Max Sub-Groups  32
Max Global Variable Size  64 KB
Preferred Global Variables Total Size  838860 KB
Max Argument Size  1 KB
Max Constant Buffer Size  838860 KB
Max Constant Arguments  8
Max Pipe Arguments  16
Max Printf Buffer Size  4 MB
Native ISA Vector Widths  char16, short8, int1, half8, float1, double1
Preferred Native Vector Widths  char16, short8, int4, long1, half8, float1, double1
Host Timer Resolution  100 ns
Profiling Timer Resolution  52 ns
OpenCL DLL  opencl.dll (2.2.1.0)
 
Memory Properties:
Global Memory  1638 MB
Global Memory Cache  1024 KB (Read/Write, 64-byte line)
Local Memory  64 KB
Max Memory Object Allocation Size  838860 KB
Memory Base Address Alignment  1024-bit
Min Data Type Alignment  128 bytes
Image Row Pitch Alignment  4 pixels
Image Base Address Alignment  4 pixels
Preferred Platform Atomic Alignment  64 bytes
Preferred Global Atomic Alignment  64 bytes
Preferred Local Atomic Alignment  64 bytes
 
OpenCL Compliancy:
OpenCL 1.1  Yes (100%)
OpenCL 1.2  Yes (100%)
OpenCL 2.0  Yes (100%)
 
Device Features:
Command-Queue Out Of Order Execution  Enabled
Command-Queue Profiling  Enabled
Compiler Available  Yes
Error Correction  Not Supported
Images  Supported
Kernel Execution  Supported
Linker Available  Yes
Little-Endian Device  Yes
Native Kernel Execution  Not Supported
Sub-Group Independent Forward Progress  Supported
SVM Atomics  Not Supported
SVM Coarse Grain Buffer  Supported
SVM Fine Grain Buffer  Supported
SVM Fine Grain System  Supported
Thread Trace  Not Supported
Unified Memory  Yes
 
Half-Precision Floating-Point Capabilities:
Correctly Rounded Divide and Sqrt  Not Supported
Denorms  Supported
IEEE754-2008 FMA  Supported
INF and NaNs  Supported
Rounding to Infinity  Supported
Rounding to Nearest Even  Supported
Rounding to Zero  Supported
Software Basic Floating-Point Operations  No
 
Single-Precision Floating-Point Capabilities:
Correctly Rounded Divide and Sqrt  Not Supported
Denorms  Supported
IEEE754-2008 FMA  Supported
INF and NaNs  Supported
Rounding to Infinity  Supported
Rounding to Nearest Even  Supported
Rounding to Zero  Supported
Software Basic Floating-Point Operations  No
 
Double-Precision Floating-Point Capabilities:
Correctly Rounded Divide and Sqrt  Not Supported
Denorms  Not Supported
IEEE754-2008 FMA  Not Supported
INF and NaNs  Not Supported
Rounding to Infinity  Not Supported
Rounding to Nearest Even  Not Supported
Rounding to Zero  Not Supported
Software Basic Floating-Point Operations  No
 
Device Extensions:
Total / Supported Extensions  116 / 44
cl_altera_compiler_mode  Not Supported
cl_altera_device_temperature  Not Supported
cl_altera_live_object_tracking  Not Supported
cl_amd_bus_addressable_memory  Not Supported
cl_amd_c1x_atomics  Not Supported
cl_amd_compile_options  Not Supported
cl_amd_copy_buffer_p2p  Not Supported
cl_amd_core_id  Not Supported
cl_amd_d3d10_interop  Not Supported
cl_amd_d3d9_interop  Not Supported
cl_amd_device_attribute_query  Not Supported
cl_amd_device_board_name  Not Supported
cl_amd_device_memory_flags  Not Supported
cl_amd_device_persistent_memory  Not Supported
cl_amd_device_profiling_timer_offset  Not Supported
cl_amd_device_topology  Not Supported
cl_amd_event_callback  Not Supported
cl_amd_fp64  Not Supported
cl_amd_hsa  Not Supported
cl_amd_image2d_from_buffer_read_only  Not Supported
cl_amd_liquid_flash  Not Supported
cl_amd_media_ops  Not Supported
cl_amd_media_ops2  Not Supported
cl_amd_offline_devices  Not Supported
cl_amd_popcnt  Not Supported
cl_amd_predefined_macros  Not Supported
cl_amd_printf  Not Supported
cl_amd_svm  Not Supported
cl_amd_vec3  Not Supported
cl_apple_contextloggingfunctions  Not Supported
cl_apple_gl_sharing  Not Supported
cl_apple_setmemobjectdestructor  Not Supported
cl_arm_core_id  Not Supported
cl_arm_import_memory  Not Supported
cl_arm_import_memory_dma_buf  Not Supported
cl_arm_import_memory_host  Not Supported
cl_arm_integer_dot_product_int8  Not Supported
cl_arm_non_uniform_work_group_size  Not Supported
cl_arm_printf  Not Supported
cl_arm_thread_limit_hint  Not Supported
cl_ext_atomic_counters_32  Not Supported
cl_ext_atomic_counters_64  Not Supported
cl_ext_device_fission  Not Supported
cl_ext_migrate_memobject  Not Supported
cl_intel_accelerator  Supported
cl_intel_advanced_motion_estimation  Supported
cl_intel_ctz  Not Supported
cl_intel_d3d11_nv12_media_sharing  Supported
cl_intel_device_partition_by_names  Not Supported
cl_intel_device_side_avc_motion_estimation  Supported
cl_intel_driver_diagnostics  Supported
cl_intel_dx9_media_sharing  Supported
cl_intel_exec_by_local_thread  Not Supported
cl_intel_media_block_io  Supported
cl_intel_motion_estimation  Supported
cl_intel_packed_yuv  Supported
cl_intel_planar_yuv  Supported
cl_intel_printf  Not Supported
cl_intel_required_subgroup_size  Supported
cl_intel_simultaneous_sharing  Supported
cl_intel_spirv_device_side_avc_motion_estimation  Supported
cl_intel_spirv_media_block_io  Supported
cl_intel_spirv_subgroups  Supported
cl_intel_subgroups  Supported
cl_intel_subgroups_short  Supported
cl_intel_thread_local_exec  Not Supported
cl_intel_unified_shared_memory_preview  Supported
cl_intel_va_api_media_sharing  Not Supported
cl_intel_vec_len_hint  Not Supported
cl_intel_visual_analytics  Not Supported
cl_khr_3d_image_writes  Supported
cl_khr_byte_addressable_store  Supported
cl_khr_context_abort  Not Supported
cl_khr_create_command_queue  Supported
cl_khr_d3d10_sharing  Supported
cl_khr_d3d11_sharing  Supported
cl_khr_depth_images  Supported
cl_khr_dx9_media_sharing  Supported
cl_khr_egl_event  Not Supported
cl_khr_egl_image  Not Supported
cl_khr_fp16  Supported
cl_khr_fp64  Not Supported
cl_khr_gl_depth_images  Supported
cl_khr_gl_event  Supported
cl_khr_gl_msaa_sharing  Supported
cl_khr_gl_sharing  Supported
cl_khr_global_int32_base_atomics  Supported
cl_khr_global_int32_extended_atomics  Supported
cl_khr_icd  Supported
cl_khr_il_program  Supported
cl_khr_image2d_from_buffer  Supported
cl_khr_initialize_memory  Not Supported
cl_khr_int64_base_atomics  Not Supported
cl_khr_int64_extended_atomics  Not Supported
cl_khr_local_int32_base_atomics  Supported
cl_khr_local_int32_extended_atomics  Supported
cl_khr_mipmap_image  Supported
cl_khr_mipmap_image_writes  Supported
cl_khr_priority_hints  Supported
cl_khr_select_fprounding_mode  Not Supported
cl_khr_spir  Supported
cl_khr_spirv_no_integer_wrap_decoration  Supported
cl_khr_srgb_image_writes  Not Supported
cl_khr_subgroups  Supported
cl_khr_terminate_context  Not Supported
cl_khr_throttle_hints  Supported
cl_nv_compiler_options  Not Supported
cl_nv_copy_opts  Not Supported
cl_nv_create_buffer  Not Supported
cl_nv_d3d10_sharing  Not Supported
cl_nv_d3d11_sharing  Not Supported
cl_nv_d3d9_sharing  Not Supported
cl_nv_device_attribute_query  Not Supported
cl_nv_pragma_unroll  Not Supported
cl_qcom_ext_host_ptr  Not Supported
cl_qcom_ion_host_ptr  Not Supported
 
Device Manufacturer:
Company Name  Intel Corporation
Product Information  https://www.intel.com/products/chipsets
Driver Download  https://www.intel.com/support/graphics
Driver Update  http://www.aida64.com/goto/?p=drvupdates
 
[ OpenCL: Intel(R) Core(TM) i7-1065G7 CPU @ 1.30GHz ]
 
OpenCL Properties:
Platform Name  Intel(R) OpenCL
Platform Vendor  Intel(R) Corporation
Platform Version  OpenCL 2.1
Platform Profile  Full
 
Device Properties:
Device Name  Intel(R) Core(TM) i7-1065G7 CPU @ 1.30GHz
Device Type  CPU
Device Vendor  Intel(R) Corporation
Device Version  OpenCL 2.1 (Build 0)
Device Profile  Full
Driver Version  7.6.0.0814
OpenCL C Version  OpenCL C 2.0
Supported SPIR Versions  1.2
Supported IL Versions  SPIR-V_1.0
Clock Rate  1300 MHz
Compute Units  8
Address Space Size  32-bit
Max 2D Image Size  16384 x 16384
Max 3D Image Size  2048 x 2048 x 2048
Max Image Array Size  2048
Max Image Buffer Size  33552384
Max Samplers  480
Max Work-Item Size  8192 x 8192 x 8192
Max Work-Group Size  8192
Max Sub-Groups  1
Max Global Variable Size  64 KB
Preferred Global Variables Total Size  64 KB
Max Argument Size  3840 bytes
Max Constant Buffer Size  128 KB
Max Constant Arguments  480
Max Pipe Arguments  16
Max Printf Buffer Size  1 MB
Native ISA Vector Widths  char32, short16, int4, float8, double4
Preferred Native Vector Widths  char1, short1, int1, long1, float1, double1
Host Timer Resolution  100 ns
Profiling Timer Resolution  100 ns
OpenCL DLL  opencl.dll (2.2.1.0)
 
Memory Properties:
Global Memory  511 MB
Global Memory Cache  256 KB (Read/Write, 64-byte line)
Local Memory  32 KB
Max Memory Object Allocation Size  524256 KB
Memory Base Address Alignment  1024-bit
Min Data Type Alignment  128 bytes
Image Row Pitch Alignment  64 pixels
Image Base Address Alignment  64 pixels
Preferred Platform Atomic Alignment  64 bytes
Preferred Global Atomic Alignment  64 bytes
 
OpenCL Compliancy:
OpenCL 1.1  Yes (100%)
OpenCL 1.2  Yes (100%)
OpenCL 2.0  Yes (100%)
 
Device Features:
Command-Queue Out Of Order Execution  Enabled
Command-Queue Profiling  Enabled
Compiler Available  Yes
Error Correction  Not Supported
Images  Supported
Kernel Execution  Supported
Linker Available  Yes
Little-Endian Device  Yes
Native Kernel Execution  Supported
Sub-Group Independent Forward Progress  Not Supported
SVM Atomics  Supported
SVM Coarse Grain Buffer  Supported
SVM Fine Grain Buffer  Supported
SVM Fine Grain System  Supported
Thread Trace  Not Supported
Unified Memory  Yes
 
Half-Precision Floating-Point Capabilities:
Correctly Rounded Divide and Sqrt  Not Supported
Denorms  Not Supported
IEEE754-2008 FMA  Not Supported
INF and NaNs  Not Supported
Rounding to Infinity  Not Supported
Rounding to Nearest Even  Not Supported
Rounding to Zero  Not Supported
Software Basic Floating-Point Operations  No
 
Single-Precision Floating-Point Capabilities:
Correctly Rounded Divide and Sqrt  Not Supported
Denorms  Supported
IEEE754-2008 FMA  Not Supported
INF and NaNs  Supported
Rounding to Infinity  Not Supported
Rounding to Nearest Even  Supported
Rounding to Zero  Not Supported
Software Basic Floating-Point Operations  No
 
Double-Precision Floating-Point Capabilities:
Correctly Rounded Divide and Sqrt  Not Supported
Denorms  Supported
IEEE754-2008 FMA  Supported
INF and NaNs  Supported
Rounding to Infinity  Supported
Rounding to Nearest Even  Supported
Rounding to Zero  Supported
Software Basic Floating-Point Operations  No
 
Device Extensions:
Total / Supported Extensions  116 / 13
cl_altera_compiler_mode  Not Supported
cl_altera_device_temperature  Not Supported
cl_altera_live_object_tracking  Not Supported
cl_amd_bus_addressable_memory  Not Supported
cl_amd_c1x_atomics  Not Supported
cl_amd_compile_options  Not Supported
cl_amd_copy_buffer_p2p  Not Supported
cl_amd_core_id  Not Supported
cl_amd_d3d10_interop  Not Supported
cl_amd_d3d9_interop  Not Supported
cl_amd_device_attribute_query  Not Supported
cl_amd_device_board_name  Not Supported
cl_amd_device_memory_flags  Not Supported
cl_amd_device_persistent_memory  Not Supported
cl_amd_device_profiling_timer_offset  Not Supported
cl_amd_device_topology  Not Supported
cl_amd_event_callback  Not Supported
cl_amd_fp64  Not Supported
cl_amd_hsa  Not Supported
cl_amd_image2d_from_buffer_read_only  Not Supported
cl_amd_liquid_flash  Not Supported
cl_amd_media_ops  Not Supported
cl_amd_media_ops2  Not Supported
cl_amd_offline_devices  Not Supported
cl_amd_popcnt  Not Supported
cl_amd_predefined_macros  Not Supported
cl_amd_printf  Not Supported
cl_amd_svm  Not Supported
cl_amd_vec3  Not Supported
cl_apple_contextloggingfunctions  Not Supported
cl_apple_gl_sharing  Not Supported
cl_apple_setmemobjectdestructor  Not Supported
cl_arm_core_id  Not Supported
cl_arm_import_memory  Not Supported
cl_arm_import_memory_dma_buf  Not Supported
cl_arm_import_memory_host  Not Supported
cl_arm_integer_dot_product_int8  Not Supported
cl_arm_non_uniform_work_group_size  Not Supported
cl_arm_printf  Not Supported
cl_arm_thread_limit_hint  Not Supported
cl_ext_atomic_counters_32  Not Supported
cl_ext_atomic_counters_64  Not Supported
cl_ext_device_fission  Not Supported
cl_ext_migrate_memobject  Not Supported
cl_intel_accelerator  Not Supported
cl_intel_advanced_motion_estimation  Not Supported
cl_intel_ctz  Not Supported
cl_intel_d3d11_nv12_media_sharing  Not Supported
cl_intel_device_partition_by_names  Not Supported
cl_intel_device_side_avc_motion_estimation  Not Supported
cl_intel_driver_diagnostics  Not Supported
cl_intel_dx9_media_sharing  Not Supported
cl_intel_exec_by_local_thread  Supported
cl_intel_media_block_io  Not Supported
cl_intel_motion_estimation  Not Supported
cl_intel_packed_yuv  Not Supported
cl_intel_planar_yuv  Not Supported
cl_intel_printf  Not Supported
cl_intel_required_subgroup_size  Not Supported
cl_intel_simultaneous_sharing  Not Supported
cl_intel_spirv_device_side_avc_motion_estimation  Not Supported
cl_intel_spirv_media_block_io  Not Supported
cl_intel_spirv_subgroups  Not Supported
cl_intel_subgroups  Not Supported
cl_intel_subgroups_short  Not Supported
cl_intel_thread_local_exec  Not Supported
cl_intel_unified_shared_memory_preview  Not Supported
cl_intel_va_api_media_sharing  Not Supported
cl_intel_vec_len_hint  Supported
cl_intel_visual_analytics  Not Supported
cl_khr_3d_image_writes  Supported
cl_khr_byte_addressable_store  Supported
cl_khr_context_abort  Not Supported
cl_khr_create_command_queue  Not Supported
cl_khr_d3d10_sharing  Not Supported
cl_khr_d3d11_sharing  Not Supported
cl_khr_depth_images  Supported
cl_khr_dx9_media_sharing  Not Supported
cl_khr_egl_event  Not Supported
cl_khr_egl_image  Not Supported
cl_khr_fp16  Not Supported
cl_khr_fp64  Supported
cl_khr_gl_depth_images  Not Supported
cl_khr_gl_event  Not Supported
cl_khr_gl_msaa_sharing  Not Supported
cl_khr_gl_sharing  Not Supported
cl_khr_global_int32_base_atomics  Supported
cl_khr_global_int32_extended_atomics  Supported
cl_khr_icd  Supported
cl_khr_il_program  Not Supported
cl_khr_image2d_from_buffer  Supported
cl_khr_initialize_memory  Not Supported
cl_khr_int64_base_atomics  Not Supported
cl_khr_int64_extended_atomics  Not Supported
cl_khr_local_int32_base_atomics  Supported
cl_khr_local_int32_extended_atomics  Supported
cl_khr_mipmap_image  Not Supported
cl_khr_mipmap_image_writes  Not Supported
cl_khr_priority_hints  Not Supported
cl_khr_select_fprounding_mode  Not Supported
cl_khr_spir  Supported
cl_khr_spirv_no_integer_wrap_decoration  Not Supported
cl_khr_srgb_image_writes  Not Supported
cl_khr_subgroups  Not Supported
cl_khr_terminate_context  Not Supported
cl_khr_throttle_hints  Not Supported
cl_nv_compiler_options  Not Supported
cl_nv_copy_opts  Not Supported
cl_nv_create_buffer  Not Supported
cl_nv_d3d10_sharing  Not Supported
cl_nv_d3d11_sharing  Not Supported
cl_nv_d3d9_sharing  Not Supported
cl_nv_device_attribute_query  Not Supported
cl_nv_pragma_unroll  Not Supported
cl_qcom_ext_host_ptr  Not Supported
cl_qcom_ion_host_ptr  Not Supported
 
Device Manufacturer:
Company Name  Intel Corporation
Product Information  https://www.intel.com/products/chipsets
Driver Download  https://www.intel.com/support/graphics
Driver Update  http://www.aida64.com/goto/?p=drvupdates


Vulkan

 
[ Intel(R) Iris(R) Plus Graphics ]
 
Device Properties:
Device Name  Intel(R) Iris(R) Plus Graphics
Device Type  Integrated GPU
Device UUID  16-2B-10-2B-1F-26-21-24-19-2A-1B-26-1D-23-19-16
PCI Device  8086-8A52
Memory Size  8371028 KB
Max 1D Image Size  16384
Max 2D Image Size  16384 x 16384
Max 3D Image Size  2048 x 2048 x 2048
Max Cube Image Size  16384 x 16384
Max Image Layers  2048
Max Texel Buffer Elements  134217728
Max Uniform Buffer Range  65536
Max Storage Buffer Range  134217728
Max Push Constants Size  256 bytes
Max Memory Allocation Count  2092757
Max Sampler Allocation Count  4000
Buffer Image Granularity  1 bytes
Sparse Address Space Size  17592186044416 bytes
Max Bound Descriptor Sets  8
Max Per-Stage Descriptor Samplers  64
Max Per-Stage Descriptor Uniform Buffers  200
Max Per-Stage Descriptor Storage Buffers  200
Max Per-Stage Descriptor Sampled Images  200
Max Per-Stage Descriptor Storage Images  16
Max Per-Stage Descriptor Input Attachments  7
Max Per-Stage Resources  200
Max Descriptor Set Samplers  576
Max Descriptor Set Uniform Buffers  1800
Max Descriptor Set Dynamic Uniform Buffers  16
Max Descriptor Set Storage Buffers  1800
Max Descriptor Set Dynamic Storage Buffers  16
Max Descriptor Set Sampled Images  1800
Max Descriptor Set Storage Images  144
Max Descriptor Set Input Attachments  7
Max Vertex Input Attributes  32
Max Vertex Input Bindings  32
Max Vertex Input Attribute Offset  2047
Max Vertex Input Binding Stride  4095
Max Vertex Output Components  128
Max Tesselation Generation Level  64
Max Tesselation Patch Size  32
Max Tesselation Control Per-Vertex Input Components  128
Max Tesselation Control Per-Vertex Output Components  128
Max Tesselation Control Per-Patch Output Components  120
Max Tesselation Control Total Output Components  4096
Max Tesselation Evaluation Input Components  128
Max Tesselation Evaluation Output Components  128
Max Geometry Shader Invocations  32
Max Geometry Input Components  128
Max Geometry Output Components  128
Max Geometry Output Vertices  256
Max Geometry Total Output Components  1024
Max Fragment Input Components  128
Max Fragment Output Attachments  8
Max Fragment DualSrc Attachments  1
Max Fragment Combined Output Resources  16
Max Compute Shared Memory Size  32768 bytes
Max Compute Work Group Count  X: 65536, Y: 65536, Z: 65536
Max Compute Work Group Invocations  1024
Max Compute Work Group Size  X: 1024, Y: 1024, Z: 64
Subpixel Precision Bits  8
Subtexel Precision Bits  8
Mipmap Precision Bits  8
Max Draw Indexed Index Value  4294967295
Max Draw Indirect Count  4294967295
Max Sampler LOD Bias  16.000000
Max Sampler Anisotropy  16.000000
Max Viewports  16
Max Viewport Size  32768 x 32768
Viewport Bounds Range  -65536.000000 ... 65535.000000
Viewport Subpixel Bits  8
Min Memory Map Alignment  64 bytes
Min Texel Buffer Offset Alignment  16 bytes
Min Uniform Buffer Offset Alignment  32 bytes
Min Storage Buffer Offset Alignment  16 bytes
Min / Max Texel Offset  -8 / 7
Min / Max Texel Gather Offset  -32 / 31
Min / Max Interpolation Offset  -0.500000 / 0.437500
Subpixel Interpolation Offset Bits  4
Max Framebuffer Size  16384 x 16384
Max Framebuffer Layers  2048
Framebuffer Color Sample Counts  0x0000001F
Framebuffer Depth Sample Counts  0x0000001F
Framebuffer Stencil Sample Counts  0x0000001F
Framebuffer No Attachments Sample Counts  0x0000001F
Max Color Attachments  8
Sampled Image Color Sample Counts  0x0000001F
Sampled Image Integer Sample Counts  0x0000001F
Sampled Image Depth Sample Counts  0x0000001F
Sampled Image Stencil Sample Counts  0x0000001F
Storage Image Sample Counts  0x0000001F
Max Sample Mask Words  1
Timestamp Period  52.083332 ns
Max Clip Distances  8
Max Cull Distances  8
Max Combined Clip and Cull Distances  8
Discrete Queue Priorities  2
Point Size Range  0.125000 ... 255.875000
Line Width Range  0.000000 ... 7.992188
Point Size Granularity  0.125000
Line Width Granularity  0.007813
Optimal Buffer Copy Offset Alignment  16 bytes
Optimal Buffer Copy Row Pitch Alignment  16 bytes
Non-Coherent Atom Size  1 bytes
Driver Version  0.401.3367
API Version  1.1.125
Vulkan DLL  C:\Windows\system32\vulkan-1.dll (1.1.121.2)
 
Device Features:
Alpha To One  Supported
Anisotropic Filtering  Supported
ASTC LDR Texture Compression  Supported
BC Texture Compression  Supported
Depth Bias Clamping  Supported
Depth Bounds Tests  Not Supported
Depth Clamping  Supported
Draw Indirect First Instance  Supported
Dual Source Blend Operations  Supported
ETC2 and EAC Texture Compression  Supported
Fragment Stores and Atomics  Supported
Full Draw Index Uint32  Supported
Geometry Shader  Supported
Image Cube Array  Supported
Independent Blend  Supported
Inherited Queries  Supported
Large Points  Supported
Logic Operations  Supported
Multi-Draw Indirect  Supported
Multi Viewport  Supported
Occlusion Query Precise  Supported
Pipeline Statistics Query  Supported
Point and Wireframe Fill Modes  Supported
Robust Buffer Access  Supported
Sample Rate Shading  Supported
Shader Clip Distance  Supported
Shader Cull Distance  Supported
Shader Float64  Not Supported
Shader Image Gather Extended  Supported
Shader Int16  Supported
Shader Int64  Not Supported
Shader Resource Min LOD  Not Supported
Shader Resource Residency  Supported
Shader Sampled Image Array Dynamic Indexing  Supported
Shader Storage Buffer Array Dynamic Indexing  Supported
Shader Storage Image Array Dynamic Indexing  Supported
Shader Storage Image Extended Formats  Supported
Shader Storage Image Multisample  Supported
Shader Storage Image Read Without Format  Not Supported
Shader Storage Image Write Without Format  Supported
Shader Tesselation and Geometry Point Size  Supported
Shader Uniform Buffer Array Dynamic Indexing  Supported
Sparse Binding  Supported
Sparse Residency 2 Samples  Supported
Sparse Residency 4 Samples  Supported
Sparse Residency 8 Samples  Supported
Sparse Residency 16 Samples  Supported
Sparse Residency Aliased  Supported
Sparse Residency Aligned Mip Size  No
Sparse Residency Buffer  Supported
Sparse Residency Image 2D  Supported
Sparse Residency Image 3D  Supported
Sparse Residency Non-Resident Strict  Yes
Sparse Residency Standard 2D Block Shape  Yes
Sparse Residency Standard 2D Multisample Block Shape  Yes
Sparse Residency Standard 3D Block Shape  Yes
Standard Sample Locations  Yes
Strict Line Rasterization  No
Tesselation Shader  Supported
Timestamps on All Graphics and Compute Queues  Supported
Variable Multisample Rate  Supported
Vertex Pipeline Stores and Atomics  Supported
Wide Lines  Supported
 
Queue:
Queue Count  1
Timestamp Valid Bits  36
Min Image Transfer Granularity  1 x 1 x 1
Compute Operations  Supported
Graphics Operations  Supported
Sparse Memory Management Operations  Supported
Transfer Operations  Supported
 
Memory Heap:
Heap Type  Local
Heap Size  4185514 KB
Host Cached  No
Host Coherent  No
Host Visible  No
Lazily Allocated  No
 
Memory Heap:
Heap Type  Local
Heap Size  4185514 KB
Host Cached  Yes
Host Coherent  Yes
Host Visible  Yes
Lazily Allocated  No
 
Device Extensions:
VK_EXT_buffer_device_address  Supported
VK_EXT_conditional_rendering  Supported
VK_EXT_conservative_rasterization  Supported
VK_EXT_depth_clip_enable  Supported
VK_EXT_descriptor_indexing  Supported
VK_EXT_external_memory_host  Supported
VK_EXT_fragment_shader_interlock  Supported
VK_EXT_host_query_reset  Supported
VK_EXT_index_type_uint8  Supported
VK_EXT_inline_uniform_block  Supported
VK_EXT_memory_budget  Supported
VK_EXT_pipeline_creation_feedback  Supported
VK_EXT_post_depth_coverage  Supported
VK_EXT_sample_locations  Supported
VK_EXT_sampler_filter_minmax  Supported
VK_EXT_scalar_block_layout  Supported
VK_EXT_separate_stencil_usage  Supported
VK_EXT_shader_demote_to_helper_invocation  Supported
VK_EXT_shader_stencil_export  Supported
VK_EXT_shader_subgroup_ballot  Supported
VK_EXT_shader_subgroup_vote  Supported
VK_EXT_shader_viewport_index_layer  Supported
VK_EXT_subgroup_size_control  Supported
VK_EXT_texel_buffer_alignment  Supported
VK_EXT_vertex_attribute_divisor  Supported
VK_INTEL_performance_query  Supported
VK_KHR_16bit_storage  Supported
VK_KHR_8bit_storage  Supported
VK_KHR_bind_memory2  Supported
VK_KHR_create_renderpass2  Supported
VK_KHR_dedicated_allocation  Supported
VK_KHR_depth_stencil_resolve  Supported
VK_KHR_descriptor_update_template  Supported
VK_KHR_device_group  Supported
VK_KHR_draw_indirect_count  Supported
VK_KHR_driver_properties  Supported
VK_KHR_external_fence  Supported
VK_KHR_external_fence_win32  Supported
VK_KHR_external_memory  Supported
VK_KHR_external_memory_win32  Supported
VK_KHR_external_semaphore  Supported
VK_KHR_external_semaphore_win32  Supported
VK_KHR_get_memory_requirements2  Supported
VK_KHR_image_format_list  Supported
VK_KHR_imageless_framebuffer  Supported
VK_KHR_maintenance1  Supported
VK_KHR_maintenance2  Supported
VK_KHR_maintenance3  Supported
VK_KHR_multiview  Supported
VK_KHR_push_descriptor  Supported
VK_KHR_relaxed_block_layout  Supported
VK_KHR_sampler_mirror_clamp_to_edge  Supported
VK_KHR_sampler_ycbcr_conversion  Supported
VK_KHR_shader_clock  Supported
VK_KHR_shader_draw_parameters  Supported
VK_KHR_shader_float16_int8  Supported
VK_KHR_shader_subgroup_extended_types  Supported
VK_KHR_storage_buffer_storage_class  Supported
VK_KHR_swapchain  Supported
VK_KHR_swapchain_mutable_format  Supported
VK_KHR_timeline_semaphore  Supported
VK_KHR_uniform_buffer_standard_layout  Supported
VK_KHR_variable_pointers  Supported
VK_KHR_vulkan_memory_model  Supported
VK_KHR_win32_keyed_mutex  Supported
 
Instance Extensions:
VK_EXT_debug_report  Supported
VK_EXT_debug_utils  Supported
VK_EXT_swapchain_colorspace  Supported
VK_KHR_device_group_creation  Supported
VK_KHR_external_fence_capabilities  Supported
VK_KHR_external_memory_capabilities  Supported
VK_KHR_external_semaphore_capabilities  Supported
VK_KHR_get_physical_device_properties2  Supported
VK_KHR_get_surface_capabilities2  Supported
VK_KHR_surface  Supported
VK_KHR_win32_surface  Supported
 
Device Manufacturer:
Company Name  Intel Corporation
Product Information  https://www.intel.com/products/chipsets
Driver Download  https://www.intel.com/support/graphics
Driver Update  http://www.aida64.com/goto/?p=drvupdates


Fonts

 
Font Family  Type  Style  Character Set  Char. Size  Char. Weight
@DengXian Light  Special  Regular  Central European  21 x 50  30 %
@DengXian Light  Special  Regular  CHINESE_GB2312  21 x 50  30 %
@DengXian Light  Special  Regular  Cyrillic  21 x 50  30 %
@DengXian Light  Special  Regular  Greek  21 x 50  30 %
@DengXian Light  Special  Regular  Western  21 x 50  30 %
@DengXian  Special  Regular  Central European  21 x 50  40 %
@DengXian  Special  Regular  CHINESE_GB2312  21 x 50  40 %
@DengXian  Special  Regular  Cyrillic  21 x 50  40 %
@DengXian  Special  Regular  Greek  21 x 50  40 %
@DengXian  Special  Regular  Western  21 x 50  40 %
@FangSong  Modern  Regular  CHINESE_GB2312  24 x 48  40 %
@FangSong  Modern  Regular  Western  24 x 48  40 %
@FZShuTi  Special  Regular  CHINESE_GB2312  24 x 50  40 %
@FZYaoTi  Special  Regular  CHINESE_GB2312  24 x 54  40 %
@KaiTi  Modern  Regular  CHINESE_GB2312  24 x 48  40 %
@KaiTi  Modern  Regular  Western  24 x 48  40 %
@LG PC  Roman  Regular  Hangul  20 x 56  40 %
@LG PC  Roman  Regular  Western  20 x 56  40 %
@LG Smart UI Bold  Swiss  Regular  Hangul  38 x 56  70 %
@LG Smart UI Bold  Swiss  Regular  Western  38 x 56  70 %
@LG Smart UI Light  Swiss  Regular  Hangul  37 x 56  30 %
@LG Smart UI Light  Swiss  Regular  Western  37 x 56  30 %
@LG Smart UI Regular  Swiss  Regular  Hangul  38 x 56  40 %
@LG Smart UI Regular  Swiss  Regular  Western  38 x 56  40 %
@LG Smart UI SemiBold  Swiss  Regular  Hangul  38 x 56  60 %
@LG Smart UI SemiBold  Swiss  Regular  Western  38 x 56  60 %
@LiSu  Modern  Regular  CHINESE_GB2312  24 x 48  40 %
@Malgun Gothic Semilight  Swiss  Regular  Baltic  47 x 64  30 %
@Malgun Gothic Semilight  Swiss  Regular  CHINESE_BIG5  47 x 64  30 %
@Malgun Gothic Semilight  Swiss  Regular  CHINESE_GB2312  47 x 64  30 %
@Malgun Gothic Semilight  Swiss  Regular  Cyrillic  47 x 64  30 %
@Malgun Gothic Semilight  Swiss  Regular  Greek  47 x 64  30 %
@Malgun Gothic Semilight  Swiss  Regular  Hangul(Johab)  47 x 64  30 %
@Malgun Gothic Semilight  Swiss  Regular  Hangul  47 x 64  30 %
@Malgun Gothic Semilight  Swiss  Regular  Hebrew  47 x 64  30 %
@Malgun Gothic Semilight  Swiss  Regular  Japanese  47 x 64  30 %
@Malgun Gothic Semilight  Swiss  Regular  Turkish  47 x 64  30 %
@Malgun Gothic Semilight  Swiss  Regular  Vietnamese  47 x 64  30 %
@Malgun Gothic Semilight  Swiss  Regular  Western  47 x 64  30 %
@Malgun Gothic  Swiss  Regular  Hangul  22 x 64  40 %
@Malgun Gothic  Swiss  Regular  Western  22 x 64  40 %
@Microsoft JhengHei Light  Swiss  Regular  CHINESE_BIG5  47 x 64  29 %
@Microsoft JhengHei Light  Swiss  Regular  Greek  47 x 64  29 %
@Microsoft JhengHei Light  Swiss  Regular  Western  47 x 64  29 %
@Microsoft JhengHei UI Light  Swiss  Regular  CHINESE_BIG5  47 x 61  29 %
@Microsoft JhengHei UI Light  Swiss  Regular  Greek  47 x 61  29 %
@Microsoft JhengHei UI Light  Swiss  Regular  Western  47 x 61  29 %
@Microsoft JhengHei UI  Swiss  Regular  CHINESE_BIG5  22 x 61  40 %
@Microsoft JhengHei UI  Swiss  Regular  Greek  22 x 61  40 %
@Microsoft JhengHei UI  Swiss  Regular  Western  22 x 61  40 %
@Microsoft JhengHei  Swiss  Regular  CHINESE_BIG5  22 x 64  40 %
@Microsoft JhengHei  Swiss  Regular  Greek  22 x 64  40 %
@Microsoft JhengHei  Swiss  Regular  Western  22 x 64  40 %
@Microsoft YaHei Heavy  Swiss  Regular  Baltic  29 x 64  90 %
@Microsoft YaHei Heavy  Swiss  Regular  Central European  29 x 64  90 %
@Microsoft YaHei Heavy  Swiss  Regular  CHINESE_GB2312  29 x 64  90 %
@Microsoft YaHei Heavy  Swiss  Regular  Cyrillic  29 x 64  90 %
@Microsoft YaHei Heavy  Swiss  Regular  Greek  29 x 64  90 %
@Microsoft YaHei Heavy  Swiss  Regular  Turkish  29 x 64  90 %
@Microsoft YaHei Heavy  Swiss  Regular  Vietnamese  29 x 64  90 %
@Microsoft YaHei Heavy  Swiss  Regular  Western  29 x 64  90 %
@Microsoft YaHei Light  Swiss  Regular  Baltic  27 x 64  30 %
@Microsoft YaHei Light  Swiss  Regular  Central European  27 x 64  30 %
@Microsoft YaHei Light  Swiss  Regular  CHINESE_GB2312  27 x 64  30 %
@Microsoft YaHei Light  Swiss  Regular  Cyrillic  27 x 64  30 %
@Microsoft YaHei Light  Swiss  Regular  Greek  27 x 64  30 %
@Microsoft YaHei Light  Swiss  Regular  Turkish  27 x 64  30 %
@Microsoft YaHei Light  Swiss  Regular  Vietnamese  27 x 64  30 %
@Microsoft YaHei Light  Swiss  Regular  Western  27 x 64  30 %
@Microsoft YaHei Semibold  Swiss  Regular  Baltic  29 x 64  60 %
@Microsoft YaHei Semibold  Swiss  Regular  Central European  29 x 64  60 %
@Microsoft YaHei Semibold  Swiss  Regular  CHINESE_GB2312  29 x 64  60 %
@Microsoft YaHei Semibold  Swiss  Regular  Cyrillic  29 x 64  60 %
@Microsoft YaHei Semibold  Swiss  Regular  Greek  29 x 64  60 %
@Microsoft YaHei Semibold  Swiss  Regular  Turkish  29 x 64  60 %
@Microsoft YaHei Semibold  Swiss  Regular  Vietnamese  29 x 64  60 %
@Microsoft YaHei Semibold  Swiss  Regular  Western  29 x 64  60 %
@Microsoft YaHei Semilight  Swiss  Regular  Baltic  27 x 64  35 %
@Microsoft YaHei Semilight  Swiss  Regular  Central European  27 x 64  35 %
@Microsoft YaHei Semilight  Swiss  Regular  CHINESE_GB2312  27 x 64  35 %
@Microsoft YaHei Semilight  Swiss  Regular  Cyrillic  27 x 64  35 %
@Microsoft YaHei Semilight  Swiss  Regular  Greek  27 x 64  35 %
@Microsoft YaHei Semilight  Swiss  Regular  Turkish  27 x 64  35 %
@Microsoft YaHei Semilight  Swiss  Regular  Vietnamese  27 x 64  35 %
@Microsoft YaHei Semilight  Swiss  Regular  Western  27 x 64  35 %
@Microsoft YaHei UI Heavy  Swiss  Regular  Baltic  29 x 64  90 %
@Microsoft YaHei UI Heavy  Swiss  Regular  Central European  29 x 64  90 %
@Microsoft YaHei UI Heavy  Swiss  Regular  CHINESE_GB2312  29 x 64  90 %
@Microsoft YaHei UI Heavy  Swiss  Regular  Cyrillic  29 x 64  90 %
@Microsoft YaHei UI Heavy  Swiss  Regular  Greek  29 x 64  90 %
@Microsoft YaHei UI Heavy  Swiss  Regular  Turkish  29 x 64  90 %
@Microsoft YaHei UI Heavy  Swiss  Regular  Vietnamese  29 x 64  90 %
@Microsoft YaHei UI Heavy  Swiss  Regular  Western  29 x 64  90 %
@Microsoft YaHei UI Light  Swiss  Regular  Baltic  27 x 64  30 %
@Microsoft YaHei UI Light  Swiss  Regular  Central European  27 x 64  30 %
@Microsoft YaHei UI Light  Swiss  Regular  CHINESE_GB2312  27 x 64  30 %
@Microsoft YaHei UI Light  Swiss  Regular  Cyrillic  27 x 64  30 %
@Microsoft YaHei UI Light  Swiss  Regular  Greek  27 x 64  30 %
@Microsoft YaHei UI Light  Swiss  Regular  Turkish  27 x 64  30 %
@Microsoft YaHei UI Light  Swiss  Regular  Vietnamese  27 x 64  30 %
@Microsoft YaHei UI Light  Swiss  Regular  Western  27 x 64  30 %
@Microsoft YaHei UI Semibold  Swiss  Regular  Baltic  29 x 64  60 %
@Microsoft YaHei UI Semibold  Swiss  Regular  Central European  29 x 64  60 %
@Microsoft YaHei UI Semibold  Swiss  Regular  CHINESE_GB2312  29 x 64  60 %
@Microsoft YaHei UI Semibold  Swiss  Regular  Cyrillic  29 x 64  60 %
@Microsoft YaHei UI Semibold  Swiss  Regular  Greek  29 x 64  60 %
@Microsoft YaHei UI Semibold  Swiss  Regular  Turkish  29 x 64  60 %
@Microsoft YaHei UI Semibold  Swiss  Regular  Vietnamese  29 x 64  60 %
@Microsoft YaHei UI Semibold  Swiss  Regular  Western  29 x 64  60 %
@Microsoft YaHei UI Semilight  Swiss  Regular  Baltic  27 x 64  35 %
@Microsoft YaHei UI Semilight  Swiss  Regular  Central European  27 x 64  35 %
@Microsoft YaHei UI Semilight  Swiss  Regular  CHINESE_GB2312  27 x 64  35 %
@Microsoft YaHei UI Semilight  Swiss  Regular  Cyrillic  27 x 64  35 %
@Microsoft YaHei UI Semilight  Swiss  Regular  Greek  27 x 64  35 %
@Microsoft YaHei UI Semilight  Swiss  Regular  Turkish  27 x 64  35 %
@Microsoft YaHei UI Semilight  Swiss  Regular  Vietnamese  27 x 64  35 %
@Microsoft YaHei UI Semilight  Swiss  Regular  Western  27 x 64  35 %
@Microsoft YaHei UI  Swiss  Regular  Baltic  28 x 64  40 %
@Microsoft YaHei UI  Swiss  Regular  Central European  28 x 64  40 %
@Microsoft YaHei UI  Swiss  Regular  CHINESE_GB2312  28 x 64  40 %
@Microsoft YaHei UI  Swiss  Regular  Cyrillic  28 x 64  40 %
@Microsoft YaHei UI  Swiss  Regular  Greek  28 x 64  40 %
@Microsoft YaHei UI  Swiss  Regular  Turkish  28 x 64  40 %
@Microsoft YaHei UI  Swiss  Regular  Vietnamese  28 x 64  40 %
@Microsoft YaHei UI  Swiss  Regular  Western  28 x 64  40 %
@Microsoft YaHei  Swiss  Regular  Baltic  28 x 64  40 %
@Microsoft YaHei  Swiss  Regular  Central European  28 x 64  40 %
@Microsoft YaHei  Swiss  Regular  CHINESE_GB2312  28 x 64  40 %
@Microsoft YaHei  Swiss  Regular  Cyrillic  28 x 64  40 %
@Microsoft YaHei  Swiss  Regular  Greek  28 x 64  40 %
@Microsoft YaHei  Swiss  Regular  Turkish  28 x 64  40 %
@Microsoft YaHei  Swiss  Regular  Vietnamese  28 x 64  40 %
@Microsoft YaHei  Swiss  Regular  Western  28 x 64  40 %
@MingLiU_HKSCS-ExtB  Roman  Regular  CHINESE_BIG5  24 x 48  40 %
@MingLiU_HKSCS-ExtB  Roman  Regular  Western  24 x 48  40 %
@MingLiU-ExtB  Roman  Regular  CHINESE_BIG5  24 x 48  40 %
@MingLiU-ExtB  Roman  Regular  Western  24 x 48  40 %
@MS Gothic  Modern  Regular  Baltic  24 x 48  40 %
@MS Gothic  Modern  Regular  Central European  24 x 48  40 %
@MS Gothic  Modern  Regular  Cyrillic  24 x 48  40 %
@MS Gothic  Modern  Regular  Greek  24 x 48  40 %
@MS Gothic  Modern  Regular  Japanese  24 x 48  40 %
@MS Gothic  Modern  Regular  Turkish  24 x 48  40 %
@MS Gothic  Modern  Regular  Western  24 x 48  40 %
@MS PGothic  Swiss  Regular  Baltic  20 x 48  40 %
@MS PGothic  Swiss  Regular  Central European  20 x 48  40 %
@MS PGothic  Swiss  Regular  Cyrillic  20 x 48  40 %
@MS PGothic  Swiss  Regular  Greek  20 x 48  40 %
@MS PGothic  Swiss  Regular  Japanese  20 x 48  40 %
@MS PGothic  Swiss  Regular  Turkish  20 x 48  40 %
@MS PGothic  Swiss  Regular  Western  20 x 48  40 %
@MS UI Gothic  Swiss  Regular  Baltic  20 x 48  40 %
@MS UI Gothic  Swiss  Regular  Central European  20 x 48  40 %
@MS UI Gothic  Swiss  Regular  Cyrillic  20 x 48  40 %
@MS UI Gothic  Swiss  Regular  Greek  20 x 48  40 %
@MS UI Gothic  Swiss  Regular  Japanese  20 x 48  40 %
@MS UI Gothic  Swiss  Regular  Turkish  20 x 48  40 %
@MS UI Gothic  Swiss  Regular  Western  20 x 48  40 %
@NSimSun  Modern  Regular  CHINESE_GB2312  24 x 48  40 %
@NSimSun  Modern  Regular  Western  24 x 48  40 %
@PMingLiU-ExtB  Roman  Regular  CHINESE_BIG5  24 x 48  40 %
@PMingLiU-ExtB  Roman  Regular  Western  24 x 48  40 %
@SimHei  Modern  Regular  CHINESE_GB2312  24 x 48  40 %
@SimHei  Modern  Regular  Western  24 x 48  40 %
@SimSun  Special  Regular  CHINESE_GB2312  24 x 48  40 %
@SimSun  Special  Regular  Western  24 x 48  40 %
@SimSun-ExtB  Modern  Regular  CHINESE_GB2312  24 x 48  40 %
@SimSun-ExtB  Modern  Regular  Western  24 x 48  40 %
@STCaiyun  Special  Regular  CHINESE_GB2312  21 x 50  40 %
@STFangsong  Special  Regular  Baltic  19 x 54  40 %
@STFangsong  Special  Regular  Central European  19 x 54  40 %
@STFangsong  Special  Regular  CHINESE_GB2312  19 x 54  40 %
@STFangsong  Special  Regular  Cyrillic  19 x 54  40 %
@STFangsong  Special  Regular  Greek  19 x 54  40 %
@STFangsong  Special  Regular  Turkish  19 x 54  40 %
@STFangsong  Special  Regular  Western  19 x 54  40 %
@STHupo  Special  Regular  CHINESE_GB2312  21 x 49  40 %
@STKaiti  Special  Regular  Baltic  19 x 54  40 %
@STKaiti  Special  Regular  Central European  19 x 54  40 %
@STKaiti  Special  Regular  CHINESE_GB2312  19 x 54  40 %
@STKaiti  Special  Regular  Cyrillic  19 x 54  40 %
@STKaiti  Special  Regular  Greek  19 x 54  40 %
@STKaiti  Special  Regular  Turkish  19 x 54  40 %
@STKaiti  Special  Regular  Western  19 x 54  40 %
@STLiti  Special  Regular  CHINESE_GB2312  17 x 49  40 %
@STSong  Special  Regular  Baltic  19 x 54  40 %
@STSong  Special  Regular  Central European  19 x 54  40 %
@STSong  Special  Regular  CHINESE_GB2312  19 x 54  40 %
@STSong  Special  Regular  Cyrillic  19 x 54  40 %
@STSong  Special  Regular  Greek  19 x 54  40 %
@STSong  Special  Regular  Turkish  19 x 54  40 %
@STSong  Special  Regular  Western  19 x 54  40 %
@STXihei  Special  Regular  Baltic  23 x 52  40 %
@STXihei  Special  Regular  Central European  23 x 52  40 %
@STXihei  Special  Regular  CHINESE_GB2312  23 x 52  40 %
@STXihei  Special  Regular  Cyrillic  23 x 52  40 %
@STXihei  Special  Regular  Greek  23 x 52  40 %
@STXihei  Special  Regular  Turkish  23 x 52  40 %
@STXihei  Special  Regular  Western  23 x 52  40 %
@STXingkai  Special  Regular  CHINESE_GB2312  15 x 50  40 %
@STXinwei  Special  Regular  CHINESE_GB2312  21 x 49  40 %
@STZhongsong  Special  Regular  Baltic  24 x 55  40 %
@STZhongsong  Special  Regular  Central European  24 x 55  40 %
@STZhongsong  Special  Regular  CHINESE_GB2312  24 x 55  40 %
@STZhongsong  Special  Regular  Cyrillic  24 x 55  40 %
@STZhongsong  Special  Regular  Greek  24 x 55  40 %
@STZhongsong  Special  Regular  Turkish  24 x 55  40 %
@STZhongsong  Special  Regular  Western  24 x 55  40 %
@YouYuan  Modern  Regular  CHINESE_GB2312  24 x 48  40 %
@Yu Gothic Light  Swiss  Regular  Baltic  46 x 62  30 %
@Yu Gothic Light  Swiss  Regular  Central European  46 x 62  30 %
@Yu Gothic Light  Swiss  Regular  Cyrillic  46 x 62  30 %
@Yu Gothic Light  Swiss  Regular  Greek  46 x 62  30 %
@Yu Gothic Light  Swiss  Regular  Japanese  46 x 62  30 %
@Yu Gothic Light  Swiss  Regular  Turkish  46 x 62  30 %
@Yu Gothic Light  Swiss  Regular  Western  46 x 62  30 %
@Yu Gothic Medium  Swiss  Regular  Baltic  46 x 62  50 %
@Yu Gothic Medium  Swiss  Regular  Central European  46 x 62  50 %
@Yu Gothic Medium  Swiss  Regular  Cyrillic  46 x 62  50 %
@Yu Gothic Medium  Swiss  Regular  Greek  46 x 62  50 %
@Yu Gothic Medium  Swiss  Regular  Japanese  46 x 62  50 %
@Yu Gothic Medium  Swiss  Regular  Turkish  46 x 62  50 %
@Yu Gothic Medium  Swiss  Regular  Western  46 x 62  50 %
@Yu Gothic UI Light  Swiss  Regular  Baltic  25 x 64  30 %
@Yu Gothic UI Light  Swiss  Regular  Central European  25 x 64  30 %
@Yu Gothic UI Light  Swiss  Regular  Cyrillic  25 x 64  30 %
@Yu Gothic UI Light  Swiss  Regular  Greek  25 x 64  30 %
@Yu Gothic UI Light  Swiss  Regular  Japanese  25 x 64  30 %
@Yu Gothic UI Light  Swiss  Regular  Turkish  25 x 64  30 %
@Yu Gothic UI Light  Swiss  Regular  Western  25 x 64  30 %
@Yu Gothic UI Semibold  Swiss  Regular  Baltic  28 x 64  60 %
@Yu Gothic UI Semibold  Swiss  Regular  Central European  28 x 64  60 %
@Yu Gothic UI Semibold  Swiss  Regular  Cyrillic  28 x 64  60 %
@Yu Gothic UI Semibold  Swiss  Regular  Greek  28 x 64  60 %
@Yu Gothic UI Semibold  Swiss  Regular  Japanese  28 x 64  60 %
@Yu Gothic UI Semibold  Swiss  Regular  Turkish  28 x 64  60 %
@Yu Gothic UI Semibold  Swiss  Regular  Western  28 x 64  60 %
@Yu Gothic UI Semilight  Swiss  Regular  Baltic  26 x 64  35 %
@Yu Gothic UI Semilight  Swiss  Regular  Central European  26 x 64  35 %
@Yu Gothic UI Semilight  Swiss  Regular  Cyrillic  26 x 64  35 %
@Yu Gothic UI Semilight  Swiss  Regular  Greek  26 x 64  35 %
@Yu Gothic UI Semilight  Swiss  Regular  Japanese  26 x 64  35 %
@Yu Gothic UI Semilight  Swiss  Regular  Turkish  26 x 64  35 %
@Yu Gothic UI Semilight  Swiss  Regular  Western  26 x 64  35 %
@Yu Gothic UI  Swiss  Regular  Baltic  26 x 64  40 %
@Yu Gothic UI  Swiss  Regular  Central European  26 x 64  40 %
@Yu Gothic UI  Swiss  Regular  Cyrillic  26 x 64  40 %
@Yu Gothic UI  Swiss  Regular  Greek  26 x 64  40 %
@Yu Gothic UI  Swiss  Regular  Japanese  26 x 64  40 %
@Yu Gothic UI  Swiss  Regular  Turkish  26 x 64  40 %
@Yu Gothic UI  Swiss  Regular  Western  26 x 64  40 %
@Yu Gothic  Swiss  Regular  Baltic  46 x 62  40 %
@Yu Gothic  Swiss  Regular  Central European  46 x 62  40 %
@Yu Gothic  Swiss  Regular  Cyrillic  46 x 62  40 %
@Yu Gothic  Swiss  Regular  Greek  46 x 62  40 %
@Yu Gothic  Swiss  Regular  Japanese  46 x 62  40 %
@Yu Gothic  Swiss  Regular  Turkish  46 x 62  40 %
@Yu Gothic  Swiss  Regular  Western  46 x 62  40 %
8514oem  Modern    OEM/DOS  10 x 20  40 %
Agency FB  Swiss  Regular  Western  15 x 54  40 %
Algerian  Decorative  Regular  Western  26 x 53  40 %
Arial Black  Swiss  Regular  Baltic  27 x 68  90 %
Arial Black  Swiss  Regular  Central European  27 x 68  90 %
Arial Black  Swiss  Regular  Cyrillic  27 x 68  90 %
Arial Black  Swiss  Regular  Greek  27 x 68  90 %
Arial Black  Swiss  Regular  Turkish  27 x 68  90 %
Arial Black  Swiss  Regular  Western  27 x 68  90 %
Arial Narrow  Swiss  Regular  Baltic  17 x 54  40 %
Arial Narrow  Swiss  Regular  Central European  17 x 54  40 %
Arial Narrow  Swiss  Regular  Cyrillic  17 x 54  40 %
Arial Narrow  Swiss  Regular  Greek  17 x 54  40 %
Arial Narrow  Swiss  Regular  Turkish  17 x 54  40 %
Arial Narrow  Swiss  Regular  Western  17 x 54  40 %
Arial Rounded MT Bold  Swiss  Regular  Western  23 x 56  40 %
Arial  Swiss  Regular  Arabic  21 x 54  40 %
Arial  Swiss  Regular  Baltic  21 x 54  40 %
Arial  Swiss  Regular  Central European  21 x 54  40 %
Arial  Swiss  Regular  Cyrillic  21 x 54  40 %
Arial  Swiss  Regular  Greek  21 x 54  40 %
Arial  Swiss  Regular  Hebrew  21 x 54  40 %
Arial  Swiss  Regular  Turkish  21 x 54  40 %
Arial  Swiss  Regular  Vietnamese  21 x 54  40 %
Arial  Swiss  Regular  Western  21 x 54  40 %
Bahnschrift Condensed  Swiss  Condensed  Baltic  27 x 58  40 %
Bahnschrift Condensed  Swiss  Condensed  Central European  27 x 58  40 %
Bahnschrift Condensed  Swiss  Condensed  Cyrillic  27 x 58  40 %
Bahnschrift Condensed  Swiss  Condensed  Greek  27 x 58  40 %
Bahnschrift Condensed  Swiss  Condensed  Turkish  27 x 58  40 %
Bahnschrift Condensed  Swiss  Condensed  Vietnamese  27 x 58  40 %
Bahnschrift Condensed  Swiss  Condensed  Western  27 x 58  40 %
Bahnschrift Light Condensed  Swiss  Light Condensed  Baltic  27 x 58  30 %
Bahnschrift Light Condensed  Swiss  Light Condensed  Central European  27 x 58  30 %
Bahnschrift Light Condensed  Swiss  Light Condensed  Cyrillic  27 x 58  30 %
Bahnschrift Light Condensed  Swiss  Light Condensed  Greek  27 x 58  30 %
Bahnschrift Light Condensed  Swiss  Light Condensed  Turkish  27 x 58  30 %
Bahnschrift Light Condensed  Swiss  Light Condensed  Vietnamese  27 x 58  30 %
Bahnschrift Light Condensed  Swiss  Light Condensed  Western  27 x 58  30 %
Bahnschrift Light SemiCondensed  Swiss  Light SemiCondensed  Baltic  27 x 58  30 %
Bahnschrift Light SemiCondensed  Swiss  Light SemiCondensed  Central European  27 x 58  30 %
Bahnschrift Light SemiCondensed  Swiss  Light SemiCondensed  Cyrillic  27 x 58  30 %
Bahnschrift Light SemiCondensed  Swiss  Light SemiCondensed  Greek  27 x 58  30 %
Bahnschrift Light SemiCondensed  Swiss  Light SemiCondensed  Turkish  27 x 58  30 %
Bahnschrift Light SemiCondensed  Swiss  Light SemiCondensed  Vietnamese  27 x 58  30 %
Bahnschrift Light SemiCondensed  Swiss  Light SemiCondensed  Western  27 x 58  30 %
Bahnschrift Light  Swiss  Light  Baltic  27 x 58  30 %
Bahnschrift Light  Swiss  Light  Central European  27 x 58  30 %
Bahnschrift Light  Swiss  Light  Cyrillic  27 x 58  30 %
Bahnschrift Light  Swiss  Light  Greek  27 x 58  30 %
Bahnschrift Light  Swiss  Light  Turkish  27 x 58  30 %
Bahnschrift Light  Swiss  Light  Vietnamese  27 x 58  30 %
Bahnschrift Light  Swiss  Light  Western  27 x 58  30 %
Bahnschrift SemiBold Condensed  Swiss  SemiBold Condensed  Baltic  27 x 58  60 %
Bahnschrift SemiBold Condensed  Swiss  SemiBold Condensed  Central European  27 x 58  60 %
Bahnschrift SemiBold Condensed  Swiss  SemiBold Condensed  Cyrillic  27 x 58  60 %
Bahnschrift SemiBold Condensed  Swiss  SemiBold Condensed  Greek  27 x 58  60 %
Bahnschrift SemiBold Condensed  Swiss  SemiBold Condensed  Turkish  27 x 58  60 %
Bahnschrift SemiBold Condensed  Swiss  SemiBold Condensed  Vietnamese  27 x 58  60 %
Bahnschrift SemiBold Condensed  Swiss  SemiBold Condensed  Western  27 x 58  60 %
Bahnschrift SemiBold SemiConden  Swiss  SemiBold SemiCondensed  Baltic  27 x 58  60 %
Bahnschrift SemiBold SemiConden  Swiss  SemiBold SemiCondensed  Central European  27 x 58  60 %
Bahnschrift SemiBold SemiConden  Swiss  SemiBold SemiCondensed  Cyrillic  27 x 58  60 %
Bahnschrift SemiBold SemiConden  Swiss  SemiBold SemiCondensed  Greek  27 x 58  60 %
Bahnschrift SemiBold SemiConden  Swiss  SemiBold SemiCondensed  Turkish  27 x 58  60 %
Bahnschrift SemiBold SemiConden  Swiss  SemiBold SemiCondensed  Vietnamese  27 x 58  60 %
Bahnschrift SemiBold SemiConden  Swiss  SemiBold SemiCondensed  Western  27 x 58  60 %
Bahnschrift SemiBold  Swiss  SemiBold  Baltic  27 x 58  60 %
Bahnschrift SemiBold  Swiss  SemiBold  Central European  27 x 58  60 %
Bahnschrift SemiBold  Swiss  SemiBold  Cyrillic  27 x 58  60 %
Bahnschrift SemiBold  Swiss  SemiBold  Greek  27 x 58  60 %
Bahnschrift SemiBold  Swiss  SemiBold  Turkish  27 x 58  60 %
Bahnschrift SemiBold  Swiss  SemiBold  Vietnamese  27 x 58  60 %
Bahnschrift SemiBold  Swiss  SemiBold  Western  27 x 58  60 %
Bahnschrift SemiCondensed  Swiss  SemiCondensed  Baltic  27 x 58  40 %
Bahnschrift SemiCondensed  Swiss  SemiCondensed  Central European  27 x 58  40 %
Bahnschrift SemiCondensed  Swiss  SemiCondensed  Cyrillic  27 x 58  40 %
Bahnschrift SemiCondensed  Swiss  SemiCondensed  Greek  27 x 58  40 %
Bahnschrift SemiCondensed  Swiss  SemiCondensed  Turkish  27 x 58  40 %
Bahnschrift SemiCondensed  Swiss  SemiCondensed  Vietnamese  27 x 58  40 %
Bahnschrift SemiCondensed  Swiss  SemiCondensed  Western  27 x 58  40 %
Bahnschrift SemiLight Condensed  Swiss  SemiLight Condensed  Baltic  27 x 58  35 %
Bahnschrift SemiLight Condensed  Swiss  SemiLight Condensed  Central European  27 x 58  35 %
Bahnschrift SemiLight Condensed  Swiss  SemiLight Condensed  Cyrillic  27 x 58  35 %
Bahnschrift SemiLight Condensed  Swiss  SemiLight Condensed  Greek  27 x 58  35 %
Bahnschrift SemiLight Condensed  Swiss  SemiLight Condensed  Turkish  27 x 58  35 %
Bahnschrift SemiLight Condensed  Swiss  SemiLight Condensed  Vietnamese  27 x 58  35 %
Bahnschrift SemiLight Condensed  Swiss  SemiLight Condensed  Western  27 x 58  35 %
Bahnschrift SemiLight SemiConde  Swiss  SemiLight SemiCondensed  Baltic  27 x 58  35 %
Bahnschrift SemiLight SemiConde  Swiss  SemiLight SemiCondensed  Central European  27 x 58  35 %
Bahnschrift SemiLight SemiConde  Swiss  SemiLight SemiCondensed  Cyrillic  27 x 58  35 %
Bahnschrift SemiLight SemiConde  Swiss  SemiLight SemiCondensed  Greek  27 x 58  35 %
Bahnschrift SemiLight SemiConde  Swiss  SemiLight SemiCondensed  Turkish  27 x 58  35 %
Bahnschrift SemiLight SemiConde  Swiss  SemiLight SemiCondensed  Vietnamese  27 x 58  35 %
Bahnschrift SemiLight SemiConde  Swiss  SemiLight SemiCondensed  Western  27 x 58  35 %
Bahnschrift SemiLight  Swiss  SemiLight  Baltic  27 x 58  35 %
Bahnschrift SemiLight  Swiss  SemiLight  Central European  27 x 58  35 %
Bahnschrift SemiLight  Swiss  SemiLight  Cyrillic  27 x 58  35 %
Bahnschrift SemiLight  Swiss  SemiLight  Greek  27 x 58  35 %
Bahnschrift SemiLight  Swiss  SemiLight  Turkish  27 x 58  35 %
Bahnschrift SemiLight  Swiss  SemiLight  Vietnamese  27 x 58  35 %
Bahnschrift SemiLight  Swiss  SemiLight  Western  27 x 58  35 %
Bahnschrift  Swiss  Regular  Baltic  27 x 58  40 %
Bahnschrift  Swiss  Regular  Central European  27 x 58  40 %
Bahnschrift  Swiss  Regular  Cyrillic  27 x 58  40 %
Bahnschrift  Swiss  Regular  Greek  27 x 58  40 %
Bahnschrift  Swiss  Regular  Turkish  27 x 58  40 %
Bahnschrift  Swiss  Regular  Vietnamese  27 x 58  40 %
Bahnschrift  Swiss  Regular  Western  27 x 58  40 %
Baskerville Old Face  Roman  Regular  Western  19 x 55  40 %
Bauhaus 93  Decorative  Regular  Western  21 x 54  40 %
Bell MT  Roman  Regular  Western  20 x 53  40 %
Berlin Sans FB Demi  Swiss  Bold  Western  21 x 54  70 %
Berlin Sans FB  Swiss  Regular  Western  20 x 53  40 %
Bernard MT Condensed  Roman  Regular  Western  19 x 57  40 %
Blackadder ITC  Decorative  Regular  Western  15 x 62  40 %
Bodoni MT Black  Roman  Regular  Western  24 x 56  90 %
Bodoni MT Condensed  Roman  Regular  Western  14 x 56  40 %
Bodoni MT Poster Compressed  Roman  Regular  Turkish  11 x 55  30 %
Bodoni MT Poster Compressed  Roman  Regular  Western  11 x 55  30 %
Bodoni MT  Roman  Regular  Western  20 x 58  40 %
Book Antiqua  Roman  Regular  Baltic  21 x 60  40 %
Book Antiqua  Roman  Regular  Central European  21 x 60  40 %
Book Antiqua  Roman  Regular  Cyrillic  21 x 60  40 %
Book Antiqua  Roman  Regular  Greek  21 x 60  40 %
Book Antiqua  Roman  Regular  Turkish  21 x 60  40 %
Book Antiqua  Roman  Regular  Western  21 x 60  40 %
Bookman Old Style  Roman  Regular  Baltic  24 x 54  30 %
Bookman Old Style  Roman  Regular  Central European  24 x 54  30 %
Bookman Old Style  Roman  Regular  Cyrillic  24 x 54  30 %
Bookman Old Style  Roman  Regular  Greek  24 x 54  30 %
Bookman Old Style  Roman  Regular  Turkish  24 x 54  30 %
Bookman Old Style  Roman  Regular  Western  24 x 54  30 %
Bookshelf Symbol 7  Special  Regular  Symbol  32 x 48  40 %
Bradley Hand ITC  Script  Regular  Western  20 x 60  40 %
Britannic Bold  Swiss  Regular  Western  21 x 53  40 %
Broadway  Decorative  Regular  Western  26 x 54  40 %
Brush Script MT  Script  Italic  Western  15 x 59  40 %
Calibri Light  Swiss  Regular  Arabic  25 x 59  30 %
Calibri Light  Swiss  Regular  Baltic  25 x 59  30 %
Calibri Light  Swiss  Regular  Central European  25 x 59  30 %
Calibri Light  Swiss  Regular  Cyrillic  25 x 59  30 %
Calibri Light  Swiss  Regular  Greek  25 x 59  30 %
Calibri Light  Swiss  Regular  Hebrew  25 x 59  30 %
Calibri Light  Swiss  Regular  Turkish  25 x 59  30 %
Calibri Light  Swiss  Regular  Vietnamese  25 x 59  30 %
Calibri Light  Swiss  Regular  Western  25 x 59  30 %
Calibri  Swiss  Regular  Arabic  25 x 59  40 %
Calibri  Swiss  Regular  Baltic  25 x 59  40 %
Calibri  Swiss  Regular  Central European  25 x 59  40 %
Calibri  Swiss  Regular  Cyrillic  25 x 59  40 %
Calibri  Swiss  Regular  Greek  25 x 59  40 %
Calibri  Swiss  Regular  Hebrew  25 x 59  40 %
Calibri  Swiss  Regular  Turkish  25 x 59  40 %
Calibri  Swiss  Regular  Vietnamese  25 x 59  40 %
Calibri  Swiss  Regular  Western  25 x 59  40 %
Californian FB  Roman  Regular  Western  19 x 55  40 %
Calisto MT  Roman  Regular  Western  20 x 55  40 %
Cambria Math  Roman  Regular  Baltic  30 x 268  40 %
Cambria Math  Roman  Regular  Central European  30 x 268  40 %
Cambria Math  Roman  Regular  Cyrillic  30 x 268  40 %
Cambria Math  Roman  Regular  Greek  30 x 268  40 %
Cambria Math  Roman  Regular  Turkish  30 x 268  40 %
Cambria Math  Roman  Regular  Vietnamese  30 x 268  40 %
Cambria Math  Roman  Regular  Western  30 x 268  40 %
Cambria  Roman  Regular  Baltic  30 x 56  40 %
Cambria  Roman  Regular  Central European  30 x 56  40 %
Cambria  Roman  Regular  Cyrillic  30 x 56  40 %
Cambria  Roman  Regular  Greek  30 x 56  40 %
Cambria  Roman  Regular  Turkish  30 x 56  40 %
Cambria  Roman  Regular  Vietnamese  30 x 56  40 %
Cambria  Roman  Regular  Western  30 x 56  40 %
Candara Light  Swiss  Regular  Baltic  25 x 59  40 %
Candara Light  Swiss  Regular  Central European  25 x 59  40 %
Candara Light  Swiss  Regular  Cyrillic  25 x 59  40 %
Candara Light  Swiss  Regular  Greek  25 x 59  40 %
Candara Light  Swiss  Regular  Turkish  25 x 59  40 %
Candara Light  Swiss  Regular  Vietnamese  25 x 59  40 %
Candara Light  Swiss  Regular  Western  25 x 59  40 %
Candara  Swiss  Regular  Baltic  25 x 59  40 %
Candara  Swiss  Regular  Central European  25 x 59  40 %
Candara  Swiss  Regular  Cyrillic  25 x 59  40 %
Candara  Swiss  Regular  Greek  25 x 59  40 %
Candara  Swiss  Regular  Turkish  25 x 59  40 %
Candara  Swiss  Regular  Vietnamese  25 x 59  40 %
Candara  Swiss  Regular  Western  25 x 59  40 %
Castellar  Roman  Regular  Western  32 x 58  40 %
Centaur  Roman  Regular  Western  17 x 54  40 %
Century Gothic  Swiss  Regular  Baltic  23 x 57  40 %
Century Gothic  Swiss  Regular  Central European  23 x 57  40 %
Century Gothic  Swiss  Regular  Cyrillic  23 x 57  40 %
Century Gothic  Swiss  Regular  Greek  23 x 57  40 %
Century Gothic  Swiss  Regular  Turkish  23 x 57  40 %
Century Gothic  Swiss  Regular  Western  23 x 57  40 %
Century Schoolbook  Roman  Regular  Baltic  22 x 58  40 %
Century Schoolbook  Roman  Regular  Central European  22 x 58  40 %
Century Schoolbook  Roman  Regular  Cyrillic  22 x 58  40 %
Century Schoolbook  Roman  Regular  Greek  22 x 58  40 %
Century Schoolbook  Roman  Regular  Turkish  22 x 58  40 %
Century Schoolbook  Roman  Regular  Western  22 x 58  40 %
Century  Roman  Regular  Baltic  22 x 58  40 %
Century  Roman  Regular  Central European  22 x 58  40 %
Century  Roman  Regular  Cyrillic  22 x 58  40 %
Century  Roman  Regular  Greek  22 x 58  40 %
Century  Roman  Regular  Turkish  22 x 58  40 %
Century  Roman  Regular  Western  22 x 58  40 %
Chiller  Decorative  Regular  Western  14 x 55  40 %
Colonna MT  Decorative  Regular  Western  20 x 51  40 %
Comic Sans MS  Script  Regular  Baltic  22 x 67  40 %
Comic Sans MS  Script  Regular  Central European  22 x 67  40 %
Comic Sans MS  Script  Regular  Cyrillic  22 x 67  40 %
Comic Sans MS  Script  Regular  Greek  22 x 67  40 %
Comic Sans MS  Script  Regular  Turkish  22 x 67  40 %
Comic Sans MS  Script  Regular  Western  22 x 67  40 %
Consolas  Modern  Regular  Baltic  26 x 56  40 %
Consolas  Modern  Regular  Central European  26 x 56  40 %
Consolas  Modern  Regular  Cyrillic  26 x 56  40 %
Consolas  Modern  Regular  Greek  26 x 56  40 %
Consolas  Modern  Regular  Turkish  26 x 56  40 %
Consolas  Modern  Regular  Vietnamese  26 x 56  40 %
Consolas  Modern  Regular  Western  26 x 56  40 %
Constantia  Roman  Regular  Baltic  26 x 59  40 %
Constantia  Roman  Regular  Central European  26 x 59  40 %
Constantia  Roman  Regular  Cyrillic  26 x 59  40 %
Constantia  Roman  Regular  Greek  26 x 59  40 %
Constantia  Roman  Regular  Turkish  26 x 59  40 %
Constantia  Roman  Regular  Vietnamese  26 x 59  40 %
Constantia  Roman  Regular  Western  26 x 59  40 %
Cooper Black  Roman  Regular  Western  25 x 55  40 %
Copperplate Gothic Bold  Swiss  Regular  Western  28 x 53  40 %
Copperplate Gothic Light  Swiss  Regular  Western  27 x 52  40 %
Corbel Light  Swiss  Regular  Baltic  24 x 59  30 %
Corbel Light  Swiss  Regular  Central European  24 x 59  30 %
Corbel Light  Swiss  Regular  Cyrillic  24 x 59  30 %
Corbel Light  Swiss  Regular  Greek  24 x 59  30 %
Corbel Light  Swiss  Regular  Turkish  24 x 59  30 %
Corbel Light  Swiss  Regular  Vietnamese  24 x 59  30 %
Corbel Light  Swiss  Regular  Western  24 x 59  30 %
Corbel  Swiss  Regular  Baltic  25 x 59  40 %
Corbel  Swiss  Regular  Central European  25 x 59  40 %
Corbel  Swiss  Regular  Cyrillic  25 x 59  40 %
Corbel  Swiss  Regular  Greek  25 x 59  40 %
Corbel  Swiss  Regular  Turkish  25 x 59  40 %
Corbel  Swiss  Regular  Vietnamese  25 x 59  40 %
Corbel  Swiss  Regular  Western  25 x 59  40 %
Courier New  Modern  Regular  Arabic  29 x 54  40 %
Courier New  Modern  Regular  Baltic  29 x 54  40 %
Courier New  Modern  Regular  Central European  29 x 54  40 %
Courier New  Modern  Regular  Cyrillic  29 x 54  40 %
Courier New  Modern  Regular  Greek  29 x 54  40 %
Courier New  Modern  Regular  Hebrew  29 x 54  40 %
Courier New  Modern  Regular  Turkish  29 x 54  40 %
Courier New  Modern  Regular  Vietnamese  29 x 54  40 %
Courier New  Modern  Regular  Western  29 x 54  40 %
Courier  Modern    Western  8 x 13  40 %
Curlz MT  Decorative  Regular  Western  18 x 64  40 %
DengXian Light  Special  Regular  Central European  21 x 50  30 %
DengXian Light  Special  Regular  CHINESE_GB2312  21 x 50  30 %
DengXian Light  Special  Regular  Cyrillic  21 x 50  30 %
DengXian Light  Special  Regular  Greek  21 x 50  30 %
DengXian Light  Special  Regular  Western  21 x 50  30 %
DengXian  Special  Regular  Central European  21 x 50  40 %
DengXian  Special  Regular  CHINESE_GB2312  21 x 50  40 %
DengXian  Special  Regular  Cyrillic  21 x 50  40 %
DengXian  Special  Regular  Greek  21 x 50  40 %
DengXian  Special  Regular  Western  21 x 50  40 %
Dubai Light  Swiss  Regular  Arabic  24 x 81  30 %
Dubai Light  Swiss  Regular  Western  24 x 81  30 %
Dubai Medium  Swiss  Regular  Arabic  25 x 81  50 %
Dubai Medium  Swiss  Regular  Western  25 x 81  50 %
Dubai  Swiss  Regular  Arabic  25 x 81  40 %
Dubai  Swiss  Regular  Western  25 x 81  40 %
Ebrima  Special  Regular  Baltic  29 x 64  40 %
Ebrima  Special  Regular  Central European  29 x 64  40 %
Ebrima  Special  Regular  Turkish  29 x 64  40 %
Ebrima  Special  Regular  Western  29 x 64  40 %
Edwardian Script ITC  Script  Regular  Western  12 x 57  40 %
Elephant  Roman  Regular  Western  23 x 62  40 %
Engravers MT  Roman  Regular  Western  38 x 56  50 %
Eras Bold ITC  Swiss  Regular  Western  24 x 55  40 %
Eras Demi ITC  Swiss  Regular  Western  23 x 55  40 %
Eras Light ITC  Swiss  Regular  Western  20 x 54  40 %
Eras Medium ITC  Swiss  Regular  Western  21 x 54  40 %
FangSong  Modern  Regular  CHINESE_GB2312  24 x 48  40 %
FangSong  Modern  Regular  Western  24 x 48  40 %
Felix Titling  Decorative  Regular  Western  28 x 56  40 %
Fixedsys  Modern    Western  10 x 20  40 %
Footlight MT Light  Roman  Regular  Western  20 x 51  30 %
Forte  Script  Regular  Western  20 x 53  40 %
Franklin Gothic Book  Swiss  Regular  Baltic  20 x 54  40 %
Franklin Gothic Book  Swiss  Regular  Central European  20 x 54  40 %
Franklin Gothic Book  Swiss  Regular  Cyrillic  20 x 54  40 %
Franklin Gothic Book  Swiss  Regular  Greek  20 x 54  40 %
Franklin Gothic Book  Swiss  Regular  Turkish  20 x 54  40 %
Franklin Gothic Book  Swiss  Regular  Western  20 x 54  40 %
Franklin Gothic Demi Cond  Swiss  Regular  Baltic  18 x 54  40 %
Franklin Gothic Demi Cond  Swiss  Regular  Central European  18 x 54  40 %
Franklin Gothic Demi Cond  Swiss  Regular  Cyrillic  18 x 54  40 %
Franklin Gothic Demi Cond  Swiss  Regular  Greek  18 x 54  40 %
Franklin Gothic Demi Cond  Swiss  Regular  Turkish  18 x 54  40 %
Franklin Gothic Demi Cond  Swiss  Regular  Western  18 x 54  40 %
Franklin Gothic Demi  Swiss  Regular  Baltic  21 x 54  40 %
Franklin Gothic Demi  Swiss  Regular  Central European  21 x 54  40 %
Franklin Gothic Demi  Swiss  Regular  Cyrillic  21 x 54  40 %
Franklin Gothic Demi  Swiss  Regular  Greek  21 x 54  40 %
Franklin Gothic Demi  Swiss  Regular  Turkish  21 x 54  40 %
Franklin Gothic Demi  Swiss  Regular  Western  21 x 54  40 %
Franklin Gothic Heavy  Swiss  Regular  Baltic  23 x 54  40 %
Franklin Gothic Heavy  Swiss  Regular  Central European  23 x 54  40 %
Franklin Gothic Heavy  Swiss  Regular  Cyrillic  23 x 54  40 %
Franklin Gothic Heavy  Swiss  Regular  Greek  23 x 54  40 %
Franklin Gothic Heavy  Swiss  Regular  Turkish  23 x 54  40 %
Franklin Gothic Heavy  Swiss  Regular  Western  23 x 54  40 %
Franklin Gothic Medium Cond  Swiss  Regular  Baltic  17 x 54  40 %
Franklin Gothic Medium Cond  Swiss  Regular  Central European  17 x 54  40 %
Franklin Gothic Medium Cond  Swiss  Regular  Cyrillic  17 x 54  40 %
Franklin Gothic Medium Cond  Swiss  Regular  Greek  17 x 54  40 %
Franklin Gothic Medium Cond  Swiss  Regular  Turkish  17 x 54  40 %
Franklin Gothic Medium Cond  Swiss  Regular  Western  17 x 54  40 %
Franklin Gothic Medium  Swiss  Regular  Baltic  21 x 54  40 %
Franklin Gothic Medium  Swiss  Regular  Central European  21 x 54  40 %
Franklin Gothic Medium  Swiss  Regular  Cyrillic  21 x 54  40 %
Franklin Gothic Medium  Swiss  Regular  Greek  21 x 54  40 %
Franklin Gothic Medium  Swiss  Regular  Turkish  21 x 54  40 %
Franklin Gothic Medium  Swiss  Regular  Western  21 x 54  40 %
Freestyle Script  Script  Regular  Western  12 x 57  40 %
French Script MT  Script  Regular  Western  13 x 55  40 %
FZShuTi  Special  Regular  CHINESE_GB2312  24 x 50  40 %
FZYaoTi  Special  Regular  CHINESE_GB2312  24 x 54  40 %
Gabriola  Decorative  Regular  Baltic  24 x 88  40 %
Gabriola  Decorative  Regular  Central European  24 x 88  40 %
Gabriola  Decorative  Regular  Cyrillic  24 x 88  40 %
Gabriola  Decorative  Regular  Greek  24 x 88  40 %
Gabriola  Decorative  Regular  Turkish  24 x 88  40 %
Gabriola  Decorative  Regular  Western  24 x 88  40 %
Gadugi  Swiss  Regular  Western  31 x 64  40 %
Garamond  Roman  Regular  Baltic  19 x 54  40 %
Garamond  Roman  Regular  Central European  19 x 54  40 %
Garamond  Roman  Regular  Cyrillic  19 x 54  40 %
Garamond  Roman  Regular  Greek  19 x 54  40 %
Garamond  Roman  Regular  Turkish  19 x 54  40 %
Garamond  Roman  Regular  Western  19 x 54  40 %
Georgia  Roman  Regular  Baltic  21 x 55  40 %
Georgia  Roman  Regular  Central European  21 x 55  40 %
Georgia  Roman  Regular  Cyrillic  21 x 55  40 %
Georgia  Roman  Regular  Greek  21 x 55  40 %
Georgia  Roman  Regular  Turkish  21 x 55  40 %
Georgia  Roman  Regular  Western  21 x 55  40 %
Gigi  Decorative  Regular  Western  19 x 66  40 %
Gill Sans MT Condensed  Swiss  Regular  Central European  15 x 58  40 %
Gill Sans MT Condensed  Swiss  Regular  Western  15 x 58  40 %
Gill Sans MT Ext Condensed Bold  Swiss  Regular  Central European  11 x 57  40 %
Gill Sans MT Ext Condensed Bold  Swiss  Regular  Western  11 x 57  40 %
Gill Sans MT  Swiss  Regular  Central European  20 x 56  40 %
Gill Sans MT  Swiss  Regular  Western  20 x 56  40 %
Gill Sans Ultra Bold Condensed  Swiss  Regular  Central European  21 x 60  40 %
Gill Sans Ultra Bold Condensed  Swiss  Regular  Western  21 x 60  40 %
Gill Sans Ultra Bold  Swiss  Regular  Central European  30 x 60  40 %
Gill Sans Ultra Bold  Swiss  Regular  Western  30 x 60  40 %
Gloucester MT Extra Condensed  Roman  Regular  Western  13 x 56  40 %
Goudy Old Style  Roman  Regular  Western  19 x 53  40 %
Goudy Stout  Roman  Regular  Western  53 x 66  40 %
Haettenschweiler  Swiss  Regular  Baltic  15 x 50  40 %
Haettenschweiler  Swiss  Regular  Central European  15 x 50  40 %
Haettenschweiler  Swiss  Regular  Cyrillic  15 x 50  40 %
Haettenschweiler  Swiss  Regular  Greek  15 x 50  40 %
Haettenschweiler  Swiss  Regular  Turkish  15 x 50  40 %
Haettenschweiler  Swiss  Regular  Western  15 x 50  40 %
Harlow Solid Italic  Decorative  Italic  Western  18 x 61  40 %
Harrington  Decorative  Regular  Western  21 x 56  40 %
High Tower Text  Roman  Regular  Western  20 x 56  40 %
HoloLens MDL2 Assets  Roman  Regular  Western  51 x 48  40 %
Impact  Swiss  Regular  Baltic  29 x 59  40 %
Impact  Swiss  Regular  Central European  29 x 59  40 %
Impact  Swiss  Regular  Cyrillic  29 x 59  40 %
Impact  Swiss  Regular  Greek  29 x 59  40 %
Impact  Swiss  Regular  Turkish  29 x 59  40 %
Impact  Swiss  Regular  Western  29 x 59  40 %
Imprint MT Shadow  Decorative  Regular  Western  20 x 57  40 %
Informal Roman  Script  Regular  Western  17 x 49  40 %
Ink Free  Script  Regular  Western  25 x 59  40 %
Javanese Text  Special  Regular  Western  39 x 109  40 %
Jokerman  Decorative  Regular  Western  23 x 73  40 %
Juice ITC  Decorative  Regular  Western  14 x 54  40 %
KaiTi  Modern  Regular  CHINESE_GB2312  24 x 48  40 %
KaiTi  Modern  Regular  Western  24 x 48  40 %
Kristen ITC  Script  Regular  Western  24 x 65  40 %
Kunstler Script  Script  Regular  Western  12 x 52  40 %
Leelawadee UI Semilight  Swiss  Regular  Thai  26 x 64  35 %
Leelawadee UI Semilight  Swiss  Regular  Vietnamese  26 x 64  35 %
Leelawadee UI Semilight  Swiss  Regular  Western  26 x 64  35 %
Leelawadee UI  Swiss  Regular  Thai  26 x 64  40 %
Leelawadee UI  Swiss  Regular  Vietnamese  26 x 64  40 %
Leelawadee UI  Swiss  Regular  Western  26 x 64  40 %
Leelawadee  Swiss  Regular  Thai  26 x 57  40 %
Leelawadee  Swiss  Regular  Western  26 x 57  40 %
LG PC  Roman  Regular  Hangul  20 x 56  40 %
LG PC  Roman  Regular  Western  20 x 56  40 %
LG Smart UI Bold  Swiss  Regular  Hangul  38 x 56  70 %
LG Smart UI Bold  Swiss  Regular  Western  38 x 56  70 %
LG Smart UI Light  Swiss  Regular  Hangul  37 x 56  30 %
LG Smart UI Light  Swiss  Regular  Western  37 x 56  30 %
LG Smart UI Regular  Swiss  Regular  Hangul  38 x 56  40 %
LG Smart UI Regular  Swiss  Regular  Western  38 x 56  40 %
LG Smart UI SemiBold  Swiss  Regular  Hangul  38 x 56  60 %
LG Smart UI SemiBold  Swiss  Regular  Western  38 x 56  60 %
LiSu  Modern  Regular  CHINESE_GB2312  24 x 48  40 %
Lucida Bright  Roman  Regular  Western  24 x 55  40 %
Lucida Calligraphy  Script  Italic  Western  26 x 60  40 %
Lucida Console  Modern  Regular  Central European  29 x 48  40 %
Lucida Console  Modern  Regular  Cyrillic  29 x 48  40 %
Lucida Console  Modern  Regular  Greek  29 x 48  40 %
Lucida Console  Modern  Regular  Turkish  29 x 48  40 %
Lucida Console  Modern  Regular  Western  29 x 48  40 %
Lucida Fax  Roman  Regular  Western  25 x 55  40 %
Lucida Handwriting  Script  Italic  Western  27 x 62  40 %
Lucida Sans Typewriter  Modern  Regular  Western  29 x 54  40 %
Lucida Sans Unicode  Swiss  Regular  Baltic  24 x 74  40 %
Lucida Sans Unicode  Swiss  Regular  Central European  24 x 74  40 %
Lucida Sans Unicode  Swiss  Regular  Cyrillic  24 x 74  40 %
Lucida Sans Unicode  Swiss  Regular  Greek  24 x 74  40 %
Lucida Sans Unicode  Swiss  Regular  Hebrew  24 x 74  40 %
Lucida Sans Unicode  Swiss  Regular  Turkish  24 x 74  40 %
Lucida Sans Unicode  Swiss  Regular  Western  24 x 74  40 %
Lucida Sans  Swiss  Regular  Western  24 x 55  40 %
Magneto  Decorative  Bold  Western  26 x 58  70 %
Maiandra GD  Swiss  Regular  Western  21 x 58  40 %
Malgun Gothic Semilight  Swiss  Regular  Baltic  47 x 64  30 %
Malgun Gothic Semilight  Swiss  Regular  CHINESE_BIG5  47 x 64  30 %
Malgun Gothic Semilight  Swiss  Regular  CHINESE_GB2312  47 x 64  30 %
Malgun Gothic Semilight  Swiss  Regular  Cyrillic  47 x 64  30 %
Malgun Gothic Semilight  Swiss  Regular  Greek  47 x 64  30 %
Malgun Gothic Semilight  Swiss  Regular  Hangul(Johab)  47 x 64  30 %
Malgun Gothic Semilight  Swiss  Regular  Hangul  47 x 64  30 %
Malgun Gothic Semilight  Swiss  Regular  Hebrew  47 x 64  30 %
Malgun Gothic Semilight  Swiss  Regular  Japanese  47 x 64  30 %
Malgun Gothic Semilight  Swiss  Regular  Turkish  47 x 64  30 %
Malgun Gothic Semilight  Swiss  Regular  Vietnamese  47 x 64  30 %
Malgun Gothic Semilight  Swiss  Regular  Western  47 x 64  30 %
Malgun Gothic  Swiss  Regular  Hangul  22 x 64  40 %
Malgun Gothic  Swiss  Regular  Western  22 x 64  40 %
Marlett  Special  Regular  Symbol  46 x 48  50 %
Matura MT Script Capitals  Script  Regular  Western  21 x 64  40 %
Microsoft Himalaya  Special  Regular  Western  20 x 48  40 %
Microsoft JhengHei Light  Swiss  Regular  CHINESE_BIG5  47 x 64  29 %
Microsoft JhengHei Light  Swiss  Regular  Greek  47 x 64  29 %
Microsoft JhengHei Light  Swiss  Regular  Western  47 x 64  29 %
Microsoft JhengHei UI Light  Swiss  Regular  CHINESE_BIG5  47 x 61  29 %
Microsoft JhengHei UI Light  Swiss  Regular  Greek  47 x 61  29 %
Microsoft JhengHei UI Light  Swiss  Regular  Western  47 x 61  29 %
Microsoft JhengHei UI  Swiss  Regular  CHINESE_BIG5  22 x 61  40 %
Microsoft JhengHei UI  Swiss  Regular  Greek  22 x 61  40 %
Microsoft JhengHei UI  Swiss  Regular  Western  22 x 61  40 %
Microsoft JhengHei  Swiss  Regular  CHINESE_BIG5  22 x 64  40 %
Microsoft JhengHei  Swiss  Regular  Greek  22 x 64  40 %
Microsoft JhengHei  Swiss  Regular  Western  22 x 64  40 %
Microsoft New Tai Lue  Swiss  Regular  Western  28 x 63  40 %
Microsoft PhagsPa  Swiss  Regular  Western  36 x 61  40 %
Microsoft Sans Serif  Swiss  Regular  Arabic  21 x 54  40 %
Microsoft Sans Serif  Swiss  Regular  Baltic  21 x 54  40 %
Microsoft Sans Serif  Swiss  Regular  Central European  21 x 54  40 %
Microsoft Sans Serif  Swiss  Regular  Cyrillic  21 x 54  40 %
Microsoft Sans Serif  Swiss  Regular  Greek  21 x 54  40 %
Microsoft Sans Serif  Swiss  Regular  Hebrew  21 x 54  40 %
Microsoft Sans Serif  Swiss  Regular  Thai  21 x 54  40 %
Microsoft Sans Serif  Swiss  Regular  Turkish  21 x 54  40 %
Microsoft Sans Serif  Swiss  Regular  Vietnamese  21 x 54  40 %
Microsoft Sans Serif  Swiss  Regular  Western  21 x 54  40 %
Microsoft Tai Le  Swiss  Regular  Western  28 x 61  40 %
Microsoft Uighur  Special  Regular  Arabic  19 x 48  40 %
Microsoft Uighur  Special  Regular  Western  19 x 48  40 %
Microsoft YaHei Heavy  Swiss  Regular  Baltic  29 x 64  90 %
Microsoft YaHei Heavy  Swiss  Regular  Central European  29 x 64  90 %
Microsoft YaHei Heavy  Swiss  Regular  CHINESE_GB2312  29 x 64  90 %
Microsoft YaHei Heavy  Swiss  Regular  Cyrillic  29 x 64  90 %
Microsoft YaHei Heavy  Swiss  Regular  Greek  29 x 64  90 %
Microsoft YaHei Heavy  Swiss  Regular  Turkish  29 x 64  90 %
Microsoft YaHei Heavy  Swiss  Regular  Vietnamese  29 x 64  90 %
Microsoft YaHei Heavy  Swiss  Regular  Western  29 x 64  90 %
Microsoft YaHei Light  Swiss  Regular  Baltic  27 x 64  30 %
Microsoft YaHei Light  Swiss  Regular  Central European  27 x 64  30 %
Microsoft YaHei Light  Swiss  Regular  CHINESE_GB2312  27 x 64  30 %
Microsoft YaHei Light  Swiss  Regular  Cyrillic  27 x 64  30 %
Microsoft YaHei Light  Swiss  Regular  Greek  27 x 64  30 %
Microsoft YaHei Light  Swiss  Regular  Turkish  27 x 64  30 %
Microsoft YaHei Light  Swiss  Regular  Vietnamese  27 x 64  30 %
Microsoft YaHei Light  Swiss  Regular  Western  27 x 64  30 %
Microsoft YaHei Semibold  Swiss  Regular  Baltic  29 x 64  60 %
Microsoft YaHei Semibold  Swiss  Regular  Central European  29 x 64  60 %
Microsoft YaHei Semibold  Swiss  Regular  CHINESE_GB2312  29 x 64  60 %
Microsoft YaHei Semibold  Swiss  Regular  Cyrillic  29 x 64  60 %
Microsoft YaHei Semibold  Swiss  Regular  Greek  29 x 64  60 %
Microsoft YaHei Semibold  Swiss  Regular  Turkish  29 x 64  60 %
Microsoft YaHei Semibold  Swiss  Regular  Vietnamese  29 x 64  60 %
Microsoft YaHei Semibold  Swiss  Regular  Western  29 x 64  60 %
Microsoft YaHei Semilight  Swiss  Regular  Baltic  27 x 64  35 %
Microsoft YaHei Semilight  Swiss  Regular  Central European  27 x 64  35 %
Microsoft YaHei Semilight  Swiss  Regular  CHINESE_GB2312  27 x 64  35 %
Microsoft YaHei Semilight  Swiss  Regular  Cyrillic  27 x 64  35 %
Microsoft YaHei Semilight  Swiss  Regular  Greek  27 x 64  35 %
Microsoft YaHei Semilight  Swiss  Regular  Turkish  27 x 64  35 %
Microsoft YaHei Semilight  Swiss  Regular  Vietnamese  27 x 64  35 %
Microsoft YaHei Semilight  Swiss  Regular  Western  27 x 64  35 %
Microsoft YaHei UI Heavy  Swiss  Regular  Baltic  29 x 64  90 %
Microsoft YaHei UI Heavy  Swiss  Regular  Central European  29 x 64  90 %
Microsoft YaHei UI Heavy  Swiss  Regular  CHINESE_GB2312  29 x 64  90 %
Microsoft YaHei UI Heavy  Swiss  Regular  Cyrillic  29 x 64  90 %
Microsoft YaHei UI Heavy  Swiss  Regular  Greek  29 x 64  90 %
Microsoft YaHei UI Heavy  Swiss  Regular  Turkish  29 x 64  90 %
Microsoft YaHei UI Heavy  Swiss  Regular  Vietnamese  29 x 64  90 %
Microsoft YaHei UI Heavy  Swiss  Regular  Western  29 x 64  90 %
Microsoft YaHei UI Light  Swiss  Regular  Baltic  27 x 64  30 %
Microsoft YaHei UI Light  Swiss  Regular  Central European  27 x 64  30 %
Microsoft YaHei UI Light  Swiss  Regular  CHINESE_GB2312  27 x 64  30 %
Microsoft YaHei UI Light  Swiss  Regular  Cyrillic  27 x 64  30 %
Microsoft YaHei UI Light  Swiss  Regular  Greek  27 x 64  30 %
Microsoft YaHei UI Light  Swiss  Regular  Turkish  27 x 64  30 %
Microsoft YaHei UI Light  Swiss  Regular  Vietnamese  27 x 64  30 %
Microsoft YaHei UI Light  Swiss  Regular  Western  27 x 64  30 %
Microsoft YaHei UI Semibold  Swiss  Regular  Baltic  29 x 64  60 %
Microsoft YaHei UI Semibold  Swiss  Regular  Central European  29 x 64  60 %
Microsoft YaHei UI Semibold  Swiss  Regular  CHINESE_GB2312  29 x 64  60 %
Microsoft YaHei UI Semibold  Swiss  Regular  Cyrillic  29 x 64  60 %
Microsoft YaHei UI Semibold  Swiss  Regular  Greek  29 x 64  60 %
Microsoft YaHei UI Semibold  Swiss  Regular  Turkish  29 x 64  60 %
Microsoft YaHei UI Semibold  Swiss  Regular  Vietnamese  29 x 64  60 %
Microsoft YaHei UI Semibold  Swiss  Regular  Western  29 x 64  60 %
Microsoft YaHei UI Semilight  Swiss  Regular  Baltic  27 x 64  35 %
Microsoft YaHei UI Semilight  Swiss  Regular  Central European  27 x 64  35 %
Microsoft YaHei UI Semilight  Swiss  Regular  CHINESE_GB2312  27 x 64  35 %
Microsoft YaHei UI Semilight  Swiss  Regular  Cyrillic  27 x 64  35 %
Microsoft YaHei UI Semilight  Swiss  Regular  Greek  27 x 64  35 %
Microsoft YaHei UI Semilight  Swiss  Regular  Turkish  27 x 64  35 %
Microsoft YaHei UI Semilight  Swiss  Regular  Vietnamese  27 x 64  35 %
Microsoft YaHei UI Semilight  Swiss  Regular  Western  27 x 64  35 %
Microsoft YaHei UI  Swiss  Regular  Baltic  28 x 64  40 %
Microsoft YaHei UI  Swiss  Regular  Central European  28 x 64  40 %
Microsoft YaHei UI  Swiss  Regular  CHINESE_GB2312  28 x 64  40 %
Microsoft YaHei UI  Swiss  Regular  Cyrillic  28 x 64  40 %
Microsoft YaHei UI  Swiss  Regular  Greek  28 x 64  40 %
Microsoft YaHei UI  Swiss  Regular  Turkish  28 x 64  40 %
Microsoft YaHei UI  Swiss  Regular  Vietnamese  28 x 64  40 %
Microsoft YaHei UI  Swiss  Regular  Western  28 x 64  40 %
Microsoft YaHei  Swiss  Regular  Baltic  28 x 64  40 %
Microsoft YaHei  Swiss  Regular  Central European  28 x 64  40 %
Microsoft YaHei  Swiss  Regular  CHINESE_GB2312  28 x 64  40 %
Microsoft YaHei  Swiss  Regular  Cyrillic  28 x 64  40 %
Microsoft YaHei  Swiss  Regular  Greek  28 x 64  40 %
Microsoft YaHei  Swiss  Regular  Turkish  28 x 64  40 %
Microsoft YaHei  Swiss  Regular  Vietnamese  28 x 64  40 %
Microsoft YaHei  Swiss  Regular  Western  28 x 64  40 %
Microsoft Yi Baiti  Script  Regular  Western  31 x 48  40 %
MingLiU_HKSCS-ExtB  Roman  Regular  CHINESE_BIG5  24 x 48  40 %
MingLiU_HKSCS-ExtB  Roman  Regular  Western  24 x 48  40 %
MingLiU-ExtB  Roman  Regular  CHINESE_BIG5  24 x 48  40 %
MingLiU-ExtB  Roman  Regular  Western  24 x 48  40 %
Mistral  Script  Regular  Baltic  15 x 58  40 %
Mistral  Script  Regular  Central European  15 x 58  40 %
Mistral  Script  Regular  Cyrillic  15 x 58  40 %
Mistral  Script  Regular  Greek  15 x 58  40 %
Mistral  Script  Regular  Turkish  15 x 58  40 %
Mistral  Script  Regular  Western  15 x 58  40 %
Modern No. 20  Roman  Regular  Western  19 x 49  40 %
Modern  Modern    OEM/DOS  29 x 55  40 %
Mongolian Baiti  Script  Regular  Western  21 x 51  40 %
Monotype Corsiva  Script  Regular  Baltic  17 x 52  40 %
Monotype Corsiva  Script  Regular  Central European  17 x 52  40 %
Monotype Corsiva  Script  Regular  Cyrillic  17 x 52  40 %
Monotype Corsiva  Script  Regular  Greek  17 x 52  40 %
Monotype Corsiva  Script  Regular  Turkish  17 x 52  40 %
Monotype Corsiva  Script  Regular  Western  17 x 52  40 %
MS Gothic  Modern  Regular  Baltic  24 x 48  40 %
MS Gothic  Modern  Regular  Central European  24 x 48  40 %
MS Gothic  Modern  Regular  Cyrillic  24 x 48  40 %
MS Gothic  Modern  Regular  Greek  24 x 48  40 %
MS Gothic  Modern  Regular  Japanese  24 x 48  40 %
MS Gothic  Modern  Regular  Turkish  24 x 48  40 %
MS Gothic  Modern  Regular  Western  24 x 48  40 %
MS Outlook  Special  Regular  Symbol  46 x 50  40 %
MS PGothic  Swiss  Regular  Baltic  20 x 48  40 %
MS PGothic  Swiss  Regular  Central European  20 x 48  40 %
MS PGothic  Swiss  Regular  Cyrillic  20 x 48  40 %
MS PGothic  Swiss  Regular  Greek  20 x 48  40 %
MS PGothic  Swiss  Regular  Japanese  20 x 48  40 %
MS PGothic  Swiss  Regular  Turkish  20 x 48  40 %
MS PGothic  Swiss  Regular  Western  20 x 48  40 %
MS Reference Sans Serif  Swiss  Regular  Baltic  24 x 58  40 %
MS Reference Sans Serif  Swiss  Regular  Central European  24 x 58  40 %
MS Reference Sans Serif  Swiss  Regular  Cyrillic  24 x 58  40 %
MS Reference Sans Serif  Swiss  Regular  Greek  24 x 58  40 %
MS Reference Sans Serif  Swiss  Regular  Turkish  24 x 58  40 %
MS Reference Sans Serif  Swiss  Regular  Vietnamese  24 x 58  40 %
MS Reference Sans Serif  Swiss  Regular  Western  24 x 58  40 %
MS Reference Specialty  Special  Regular  Symbol  34 x 59  40 %
MS Sans Serif  Swiss    Western  5 x 13  40 %
MS Serif  Roman    Western  5 x 13  40 %
MS UI Gothic  Swiss  Regular  Baltic  20 x 48  40 %
MS UI Gothic  Swiss  Regular  Central European  20 x 48  40 %
MS UI Gothic  Swiss  Regular  Cyrillic  20 x 48  40 %
MS UI Gothic  Swiss  Regular  Greek  20 x 48  40 %
MS UI Gothic  Swiss  Regular  Japanese  20 x 48  40 %
MS UI Gothic  Swiss  Regular  Turkish  20 x 48  40 %
MS UI Gothic  Swiss  Regular  Western  20 x 48  40 %
MT Extra  Roman  Regular  Symbol  30 x 49  40 %
MV Boli  Special  Regular  Western  27 x 77  40 %
Myanmar Text  Swiss  Regular  Western  26 x 89  40 %
Niagara Engraved  Decorative  Regular  Western  11 x 51  40 %
Niagara Solid  Decorative  Regular  Western  11 x 51  40 %
Nirmala UI Semilight  Swiss  Regular  Western  26 x 64  35 %
Nirmala UI  Swiss  Regular  Western  47 x 64  40 %
NSimSun  Modern  Regular  CHINESE_GB2312  24 x 48  40 %
NSimSun  Modern  Regular  Western  24 x 48  40 %
OCR A Extended  Modern  Regular  Western  29 x 50  40 %
Old English Text MT  Script  Regular  Western  19 x 59  40 %
Onyx  Decorative  Regular  Western  11 x 55  40 %
Palace Script MT  Script  Regular  Western  11 x 44  40 %
Palatino Linotype  Roman  Regular  Baltic  21 x 65  40 %
Palatino Linotype  Roman  Regular  Central European  21 x 65  40 %
Palatino Linotype  Roman  Regular  Cyrillic  21 x 65  40 %
Palatino Linotype  Roman  Regular  Greek  21 x 65  40 %
Palatino Linotype  Roman  Regular  Turkish  21 x 65  40 %
Palatino Linotype  Roman  Regular  Vietnamese  21 x 65  40 %
Palatino Linotype  Roman  Regular  Western  21 x 65  40 %
Papyrus  Script  Regular  Western  20 x 76  40 %
Parchment  Script  Regular  Western  8 x 51  40 %
Perpetua Titling MT  Roman  Light  Western  29 x 57  30 %
Perpetua  Roman  Regular  Western  17 x 55  40 %
Playbill  Decorative  Regular  Western  12 x 49  40 %
PMingLiU-ExtB  Roman  Regular  CHINESE_BIG5  24 x 48  40 %
PMingLiU-ExtB  Roman  Regular  Western  24 x 48  40 %
Poor Richard  Roman  Regular  Western  18 x 54  40 %
Pristina  Script  Regular  Western  15 x 63  40 %
PT Root UI Bold  Swiss  Regular  Baltic  26 x 60  70 %
PT Root UI Bold  Swiss  Regular  Central European  26 x 60  70 %
PT Root UI Bold  Swiss  Regular  Cyrillic  26 x 60  70 %
PT Root UI Bold  Swiss  Regular  Turkish  26 x 60  70 %
PT Root UI Bold  Swiss  Regular  Western  26 x 60  70 %
PT Root UI Light  Swiss  Regular  Baltic  26 x 60  30 %
PT Root UI Light  Swiss  Regular  Central European  26 x 60  30 %
PT Root UI Light  Swiss  Regular  Cyrillic  26 x 60  30 %
PT Root UI Light  Swiss  Regular  Turkish  26 x 60  30 %
PT Root UI Light  Swiss  Regular  Western  26 x 60  30 %
PT Root UI Medium  Swiss  Regular  Baltic  26 x 60  50 %
PT Root UI Medium  Swiss  Regular  Central European  26 x 60  50 %
PT Root UI Medium  Swiss  Regular  Cyrillic  26 x 60  50 %
PT Root UI Medium  Swiss  Regular  Turkish  26 x 60  50 %
PT Root UI Medium  Swiss  Regular  Western  26 x 60  50 %
PT Root UI  Swiss  Regular  Baltic  26 x 60  40 %
PT Root UI  Swiss  Regular  Central European  26 x 60  40 %
PT Root UI  Swiss  Regular  Cyrillic  26 x 60  40 %
PT Root UI  Swiss  Regular  Turkish  26 x 60  40 %
PT Root UI  Swiss  Regular  Western  26 x 60  40 %
Rage Italic  Script  Regular  Western  17 x 60  40 %
Ravie  Decorative  Regular  Western  33 x 64  40 %
Rockwell Condensed  Roman  Regular  Western  16 x 56  40 %
Rockwell Extra Bold  Roman  Regular  Western  29 x 56  80 %
Rockwell  Roman  Regular  Western  22 x 56  40 %
Roman  Roman    OEM/DOS  33 x 55  40 %
Script MT Bold  Script  Regular  Western  19 x 58  70 %
Script  Script    OEM/DOS  25 x 54  40 %
Segoe MDL2 Assets  Roman  Regular  Western  49 x 48  40 %
Segoe Print  Special  Regular  Baltic  31 x 84  40 %
Segoe Print  Special  Regular  Central European  31 x 84  40 %
Segoe Print  Special  Regular  Cyrillic  31 x 84  40 %
Segoe Print  Special  Regular  Greek  31 x 84  40 %
Segoe Print  Special  Regular  Turkish  31 x 84  40 %
Segoe Print  Special  Regular  Western  31 x 84  40 %
Segoe Script  Script  Regular  Baltic  33 x 76  40 %
Segoe Script  Script  Regular  Central European  33 x 76  40 %
Segoe Script  Script  Regular  Cyrillic  33 x 76  40 %
Segoe Script  Script  Regular  Greek  33 x 76  40 %
Segoe Script  Script  Regular  Turkish  33 x 76  40 %
Segoe Script  Script  Regular  Western  33 x 76  40 %
Segoe UI Black  Swiss  Regular  Baltic  29 x 64  90 %
Segoe UI Black  Swiss  Regular  Central European  29 x 64  90 %
Segoe UI Black  Swiss  Regular  Cyrillic  29 x 64  90 %
Segoe UI Black  Swiss  Regular  Greek  29 x 64  90 %
Segoe UI Black  Swiss  Regular  Turkish  29 x 64  90 %
Segoe UI Black  Swiss  Regular  Vietnamese  29 x 64  90 %
Segoe UI Black  Swiss  Regular  Western  29 x 64  90 %
Segoe UI Emoji  Swiss  Regular  Western  60 x 64  40 %
Segoe UI Historic  Swiss  Regular  Western  40 x 64  40 %
Segoe UI Light  Swiss  Regular  Arabic  25 x 64  30 %
Segoe UI Light  Swiss  Regular  Baltic  25 x 64  30 %
Segoe UI Light  Swiss  Regular  Central European  25 x 64  30 %
Segoe UI Light  Swiss  Regular  Cyrillic  25 x 64  30 %
Segoe UI Light  Swiss  Regular  Greek  25 x 64  30 %
Segoe UI Light  Swiss  Regular  Hebrew  25 x 64  30 %
Segoe UI Light  Swiss  Regular  Turkish  25 x 64  30 %
Segoe UI Light  Swiss  Regular  Vietnamese  25 x 64  30 %
Segoe UI Light  Swiss  Regular  Western  25 x 64  30 %
Segoe UI Semibold  Swiss  Regular  Arabic  27 x 64  60 %
Segoe UI Semibold  Swiss  Regular  Baltic  27 x 64  60 %
Segoe UI Semibold  Swiss  Regular  Central European  27 x 64  60 %
Segoe UI Semibold  Swiss  Regular  Cyrillic  27 x 64  60 %
Segoe UI Semibold  Swiss  Regular  Greek  27 x 64  60 %
Segoe UI Semibold  Swiss  Regular  Hebrew  27 x 64  60 %
Segoe UI Semibold  Swiss  Regular  Turkish  27 x 64  60 %
Segoe UI Semibold  Swiss  Regular  Vietnamese  27 x 64  60 %
Segoe UI Semibold  Swiss  Regular  Western  27 x 64  60 %
Segoe UI Semilight  Swiss  Regular  Arabic  27 x 64  35 %
Segoe UI Semilight  Swiss  Regular  Baltic  27 x 64  35 %
Segoe UI Semilight  Swiss  Regular  Central European  27 x 64  35 %
Segoe UI Semilight  Swiss  Regular  Cyrillic  27 x 64  35 %
Segoe UI Semilight  Swiss  Regular  Greek  27 x 64  35 %
Segoe UI Semilight  Swiss  Regular  Hebrew  27 x 64  35 %
Segoe UI Semilight  Swiss  Regular  Turkish  27 x 64  35 %
Segoe UI Semilight  Swiss  Regular  Vietnamese  27 x 64  35 %
Segoe UI Semilight  Swiss  Regular  Western  27 x 64  35 %
Segoe UI Symbol  Swiss  Regular  Western  34 x 64  40 %
Segoe UI  Swiss  Regular  Arabic  26 x 64  40 %
Segoe UI  Swiss  Regular  Baltic  26 x 64  40 %
Segoe UI  Swiss  Regular  Central European  26 x 64  40 %
Segoe UI  Swiss  Regular  Cyrillic  26 x 64  40 %
Segoe UI  Swiss  Regular  Greek  26 x 64  40 %
Segoe UI  Swiss  Regular  Hebrew  26 x 64  40 %
Segoe UI  Swiss  Regular  Turkish  26 x 64  40 %
Segoe UI  Swiss  Regular  Vietnamese  26 x 64  40 %
Segoe UI  Swiss  Regular  Western  26 x 64  40 %
Showcard Gothic  Decorative  Regular  Western  27 x 59  40 %
SimHei  Modern  Regular  CHINESE_GB2312  24 x 48  40 %
SimHei  Modern  Regular  Western  24 x 48  40 %
SimSun  Special  Regular  CHINESE_GB2312  24 x 48  40 %
SimSun  Special  Regular  Western  24 x 48  40 %
SimSun-ExtB  Modern  Regular  CHINESE_GB2312  24 x 48  40 %
SimSun-ExtB  Modern  Regular  Western  24 x 48  40 %
Sitka Banner  Special  Regular  Baltic  25 x 69  40 %
Sitka Banner  Special  Regular  Central European  25 x 69  40 %
Sitka Banner  Special  Regular  Cyrillic  25 x 69  40 %
Sitka Banner  Special  Regular  Greek  25 x 69  40 %
Sitka Banner  Special  Regular  Turkish  25 x 69  40 %
Sitka Banner  Special  Regular  Vietnamese  25 x 69  40 %
Sitka Banner  Special  Regular  Western  25 x 69  40 %
Sitka Display  Special  Regular  Baltic  25 x 69  40 %
Sitka Display  Special  Regular  Central European  25 x 69  40 %
Sitka Display  Special  Regular  Cyrillic  25 x 69  40 %
Sitka Display  Special  Regular  Greek  25 x 69  40 %
Sitka Display  Special  Regular  Turkish  25 x 69  40 %
Sitka Display  Special  Regular  Vietnamese  25 x 69  40 %
Sitka Display  Special  Regular  Western  25 x 69  40 %
Sitka Heading  Special  Regular  Baltic  26 x 69  40 %
Sitka Heading  Special  Regular  Central European  26 x 69  40 %
Sitka Heading  Special  Regular  Cyrillic  26 x 69  40 %
Sitka Heading  Special  Regular  Greek  26 x 69  40 %
Sitka Heading  Special  Regular  Turkish  26 x 69  40 %
Sitka Heading  Special  Regular  Vietnamese  26 x 69  40 %
Sitka Heading  Special  Regular  Western  26 x 69  40 %
Sitka Small  Special  Regular  Baltic  31 x 71  40 %
Sitka Small  Special  Regular  Central European  31 x 71  40 %
Sitka Small  Special  Regular  Cyrillic  31 x 71  40 %
Sitka Small  Special  Regular  Greek  31 x 71  40 %
Sitka Small  Special  Regular  Turkish  31 x 71  40 %
Sitka Small  Special  Regular  Vietnamese  31 x 71  40 %
Sitka Small  Special  Regular  Western  31 x 71  40 %
Sitka Subheading  Special  Regular  Baltic  27 x 69  40 %
Sitka Subheading  Special  Regular  Central European  27 x 69  40 %
Sitka Subheading  Special  Regular  Cyrillic  27 x 69  40 %
Sitka Subheading  Special  Regular  Greek  27 x 69  40 %
Sitka Subheading  Special  Regular  Turkish  27 x 69  40 %
Sitka Subheading  Special  Regular  Vietnamese  27 x 69  40 %
Sitka Subheading  Special  Regular  Western  27 x 69  40 %
Sitka Text  Special  Regular  Baltic  29 x 69  40 %
Sitka Text  Special  Regular  Central European  29 x 69  40 %
Sitka Text  Special  Regular  Cyrillic  29 x 69  40 %
Sitka Text  Special  Regular  Greek  29 x 69  40 %
Sitka Text  Special  Regular  Turkish  29 x 69  40 %
Sitka Text  Special  Regular  Vietnamese  29 x 69  40 %
Sitka Text  Special  Regular  Western  29 x 69  40 %
Small Fonts  Swiss    Western  1 x 3  40 %
Snap ITC  Decorative  Regular  Western  28 x 62  40 %
STCaiyun  Special  Regular  CHINESE_GB2312  21 x 50  40 %
Stencil  Decorative  Regular  Western  27 x 57  40 %
STFangsong  Special  Regular  Baltic  19 x 54  40 %
STFangsong  Special  Regular  Central European  19 x 54  40 %
STFangsong  Special  Regular  CHINESE_GB2312  19 x 54  40 %
STFangsong  Special  Regular  Cyrillic  19 x 54  40 %
STFangsong  Special  Regular  Greek  19 x 54  40 %
STFangsong  Special  Regular  Turkish  19 x 54  40 %
STFangsong  Special  Regular  Western  19 x 54  40 %
STHupo  Special  Regular  CHINESE_GB2312  21 x 49  40 %
STKaiti  Special  Regular  Baltic  19 x 54  40 %
STKaiti  Special  Regular  Central European  19 x 54  40 %
STKaiti  Special  Regular  CHINESE_GB2312  19 x 54  40 %
STKaiti  Special  Regular  Cyrillic  19 x 54  40 %
STKaiti  Special  Regular  Greek  19 x 54  40 %
STKaiti  Special  Regular  Turkish  19 x 54  40 %
STKaiti  Special  Regular  Western  19 x 54  40 %
STLiti  Special  Regular  CHINESE_GB2312  17 x 49  40 %
STSong  Special  Regular  Baltic  19 x 54  40 %
STSong  Special  Regular  Central European  19 x 54  40 %
STSong  Special  Regular  CHINESE_GB2312  19 x 54  40 %
STSong  Special  Regular  Cyrillic  19 x 54  40 %
STSong  Special  Regular  Greek  19 x 54  40 %
STSong  Special  Regular  Turkish  19 x 54  40 %
STSong  Special  Regular  Western  19 x 54  40 %
STXihei  Special  Regular  Baltic  23 x 52  40 %
STXihei  Special  Regular  Central European  23 x 52  40 %
STXihei  Special  Regular  CHINESE_GB2312  23 x 52  40 %
STXihei  Special  Regular  Cyrillic  23 x 52  40 %
STXihei  Special  Regular  Greek  23 x 52  40 %
STXihei  Special  Regular  Turkish  23 x 52  40 %
STXihei  Special  Regular  Western  23 x 52  40 %
STXingkai  Special  Regular  CHINESE_GB2312  15 x 50  40 %
STXinwei  Special  Regular  CHINESE_GB2312  21 x 49  40 %
STZhongsong  Special  Regular  Baltic  24 x 55  40 %
STZhongsong  Special  Regular  Central European  24 x 55  40 %
STZhongsong  Special  Regular  CHINESE_GB2312  24 x 55  40 %
STZhongsong  Special  Regular  Cyrillic  24 x 55  40 %
STZhongsong  Special  Regular  Greek  24 x 55  40 %
STZhongsong  Special  Regular  Turkish  24 x 55  40 %
STZhongsong  Special  Regular  Western  24 x 55  40 %
Sylfaen  Roman  Regular  Baltic  20 x 63  40 %
Sylfaen  Roman  Regular  Central European  20 x 63  40 %
Sylfaen  Roman  Regular  Cyrillic  20 x 63  40 %
Sylfaen  Roman  Regular  Greek  20 x 63  40 %
Sylfaen  Roman  Regular  Turkish  20 x 63  40 %
Sylfaen  Roman  Regular  Western  20 x 63  40 %
Symbol  Roman  Regular  Symbol  29 x 59  40 %
System  Swiss    Western  9 x 20  70 %
Tahoma  Swiss  Regular  Arabic  21 x 58  40 %
Tahoma  Swiss  Regular  Baltic  21 x 58  40 %
Tahoma  Swiss  Regular  Central European  21 x 58  40 %
Tahoma  Swiss  Regular  Cyrillic  21 x 58  40 %
Tahoma  Swiss  Regular  Greek  21 x 58  40 %
Tahoma  Swiss  Regular  Hebrew  21 x 58  40 %
Tahoma  Swiss  Regular  Thai  21 x 58  40 %
Tahoma  Swiss  Regular  Turkish  21 x 58  40 %
Tahoma  Swiss  Regular  Vietnamese  21 x 58  40 %
Tahoma  Swiss  Regular  Western  21 x 58  40 %
Tempus Sans ITC  Decorative  Regular  Western  20 x 63  40 %
Terminal  Modern    OEM/DOS  8 x 12  40 %
Times New Roman  Roman  Regular  Arabic  19 x 53  40 %
Times New Roman  Roman  Regular  Baltic  19 x 53  40 %
Times New Roman  Roman  Regular  Central European  19 x 53  40 %
Times New Roman  Roman  Regular  Cyrillic  19 x 53  40 %
Times New Roman  Roman  Regular  Greek  19 x 53  40 %
Times New Roman  Roman  Regular  Hebrew  19 x 53  40 %
Times New Roman  Roman  Regular  Turkish  19 x 53  40 %
Times New Roman  Roman  Regular  Vietnamese  19 x 53  40 %
Times New Roman  Roman  Regular  Western  19 x 53  40 %
Trebuchet MS  Swiss  Regular  Baltic  22 x 56  40 %
Trebuchet MS  Swiss  Regular  Central European  22 x 56  40 %
Trebuchet MS  Swiss  Regular  Cyrillic  22 x 56  40 %
Trebuchet MS  Swiss  Regular  Greek  22 x 56  40 %
Trebuchet MS  Swiss  Regular  Turkish  22 x 56  40 %
Trebuchet MS  Swiss  Regular  Western  22 x 56  40 %
Tw Cen MT Condensed Extra Bold  Swiss  Regular  Central European  18 x 52  40 %
Tw Cen MT Condensed Extra Bold  Swiss  Regular  Western  18 x 52  40 %
Tw Cen MT Condensed  Swiss  Regular  Central European  14 x 51  40 %
Tw Cen MT Condensed  Swiss  Regular  Western  14 x 51  40 %
Tw Cen MT  Swiss  Regular  Central European  19 x 52  40 %
Tw Cen MT  Swiss  Regular  Western  19 x 52  40 %
Verdana  Swiss  Regular  Baltic  24 x 58  40 %
Verdana  Swiss  Regular  Central European  24 x 58  40 %
Verdana  Swiss  Regular  Cyrillic  24 x 58  40 %
Verdana  Swiss  Regular  Greek  24 x 58  40 %
Verdana  Swiss  Regular  Turkish  24 x 58  40 %
Verdana  Swiss  Regular  Vietnamese  24 x 58  40 %
Verdana  Swiss  Regular  Western  24 x 58  40 %
Viner Hand ITC  Script  Regular  Western  22 x 77  40 %
Vivaldi  Script  Italic  Western  14 x 57  40 %
Vladimir Script  Script  Regular  Western  16 x 58  40 %
Webdings  Roman  Regular  Symbol  47 x 48  40 %
Wide Latin  Roman  Regular  Western  40 x 59  40 %
Wingdings 2  Roman  Regular  Symbol  40 x 51  40 %
Wingdings 3  Roman  Regular  Symbol  37 x 55  40 %
Wingdings  Special  Regular  Symbol  43 x 53  40 %
YouYuan  Modern  Regular  CHINESE_GB2312  24 x 48  40 %
Yu Gothic Light  Swiss  Regular  Baltic  46 x 62  30 %
Yu Gothic Light  Swiss  Regular  Central European  46 x 62  30 %
Yu Gothic Light  Swiss  Regular  Cyrillic  46 x 62  30 %
Yu Gothic Light  Swiss  Regular  Greek  46 x 62  30 %
Yu Gothic Light  Swiss  Regular  Japanese  46 x 62  30 %
Yu Gothic Light  Swiss  Regular  Turkish  46 x 62  30 %
Yu Gothic Light  Swiss  Regular  Western  46 x 62  30 %
Yu Gothic Medium  Swiss  Regular  Baltic  46 x 62  50 %
Yu Gothic Medium  Swiss  Regular  Central European  46 x 62  50 %
Yu Gothic Medium  Swiss  Regular  Cyrillic  46 x 62  50 %
Yu Gothic Medium  Swiss  Regular  Greek  46 x 62  50 %
Yu Gothic Medium  Swiss  Regular  Japanese  46 x 62  50 %
Yu Gothic Medium  Swiss  Regular  Turkish  46 x 62  50 %
Yu Gothic Medium  Swiss  Regular  Western  46 x 62  50 %
Yu Gothic UI Light  Swiss  Regular  Baltic  25 x 64  30 %
Yu Gothic UI Light  Swiss  Regular  Central European  25 x 64  30 %
Yu Gothic UI Light  Swiss  Regular  Cyrillic  25 x 64  30 %
Yu Gothic UI Light  Swiss  Regular  Greek  25 x 64  30 %
Yu Gothic UI Light  Swiss  Regular  Japanese  25 x 64  30 %
Yu Gothic UI Light  Swiss  Regular  Turkish  25 x 64  30 %
Yu Gothic UI Light  Swiss  Regular  Western  25 x 64  30 %
Yu Gothic UI Semibold  Swiss  Regular  Baltic  28 x 64  60 %
Yu Gothic UI Semibold  Swiss  Regular  Central European  28 x 64  60 %
Yu Gothic UI Semibold  Swiss  Regular  Cyrillic  28 x 64  60 %
Yu Gothic UI Semibold  Swiss  Regular  Greek  28 x 64  60 %
Yu Gothic UI Semibold  Swiss  Regular  Japanese  28 x 64  60 %
Yu Gothic UI Semibold  Swiss  Regular  Turkish  28 x 64  60 %
Yu Gothic UI Semibold  Swiss  Regular  Western  28 x 64  60 %
Yu Gothic UI Semilight  Swiss  Regular  Baltic  26 x 64  35 %
Yu Gothic UI Semilight  Swiss  Regular  Central European  26 x 64  35 %
Yu Gothic UI Semilight  Swiss  Regular  Cyrillic  26 x 64  35 %
Yu Gothic UI Semilight  Swiss  Regular  Greek  26 x 64  35 %
Yu Gothic UI Semilight  Swiss  Regular  Japanese  26 x 64  35 %
Yu Gothic UI Semilight  Swiss  Regular  Turkish  26 x 64  35 %
Yu Gothic UI Semilight  Swiss  Regular  Western  26 x 64  35 %
Yu Gothic UI  Swiss  Regular  Baltic  26 x 64  40 %
Yu Gothic UI  Swiss  Regular  Central European  26 x 64  40 %
Yu Gothic UI  Swiss  Regular  Cyrillic  26 x 64  40 %
Yu Gothic UI  Swiss  Regular  Greek  26 x 64  40 %
Yu Gothic UI  Swiss  Regular  Japanese  26 x 64  40 %
Yu Gothic UI  Swiss  Regular  Turkish  26 x 64  40 %
Yu Gothic UI  Swiss  Regular  Western  26 x 64  40 %
Yu Gothic  Swiss  Regular  Baltic  46 x 62  40 %
Yu Gothic  Swiss  Regular  Central European  46 x 62  40 %
Yu Gothic  Swiss  Regular  Cyrillic  46 x 62  40 %
Yu Gothic  Swiss  Regular  Greek  46 x 62  40 %
Yu Gothic  Swiss  Regular  Japanese  46 x 62  40 %
Yu Gothic  Swiss  Regular  Turkish  46 x 62  40 %
Yu Gothic  Swiss  Regular  Western  46 x 62  40 %


Windows Audio

 
Device  Identifier  Device Description
midi-out.0  0001 001B  Microsoft GS Wavetable Synth
mixer.0  0001 0068  Speakers (Synaptics SmartAudio
mixer.1  0001 0068  Microphone Array (Synaptics Sma
wave-in.0  0001 0065  Microphone Array (Synaptics Sma
wave-out.0  0001 0064  Speakers (Synaptics SmartAudio


PCI / PnP Audio

 
Device Description  Type
Conexant CX8200 @ Intel Ice Point-LP PCH - cAVS (Audio, Voice, Speech)  PCI
Intel Ice Point HDMI @ Intel Ice Point-LP PCH - cAVS (Audio, Voice, Speech)  PCI


HD Audio

 
[ Intel Ice Point-LP PCH - cAVS (Audio, Voice, Speech) ]
 
Device Properties:
Device Description  Intel Ice Point-LP PCH - cAVS (Audio, Voice, Speech)
Device Description (Windows)  High Definition Audio Controller
Bus Type  PCI
Bus / Device / Function  0 / 31 / 3
Device ID  8086-34C8
Subsystem ID  1854-0361
Revision  30
Hardware ID  PCI\VEN_8086&DEV_34C8&SUBSYS_03611854&REV_30
 
Device Manufacturer:
Company Name  Intel Corporation
Product Information  https://www.intel.com/products/chipsets
Driver Download  https://www.intel.com/support/chipsets
BIOS Upgrades  http://www.aida64.com/goto/?p=biosupdates
Driver Update  http://www.aida64.com/goto/?p=drvupdates
 
[ Conexant CX8200 ]
 
Device Properties:
Device Description  Conexant CX8200
Device Description (Windows)  Synaptics SmartAudio HD
Device Type  Audio
Bus Type  HDAUDIO
Device ID  14F1-2008
Subsystem ID  1854-0370
Revision  1001
Hardware ID  HDAUDIO\FUNC_01&VEN_14F1&DEV_2008&SUBSYS_18540370&REV_1001
 
[ Intel Ice Point HDMI ]
 
Device Properties:
Device Description  Intel Ice Point HDMI
Device Description (Windows)  Intel(R) Display Audio
Device Type  Audio
Bus Type  HDAUDIO
Device ID  8086-280F
Subsystem ID  8086-0101
Revision  1000
Hardware ID  HDAUDIO\FUNC_01&VEN_8086&DEV_280F&SUBSYS_80860101&REV_1000
 
Device Manufacturer:
Company Name  Intel Corporation
Product Information  https://www.intel.com/products/chipsets
Driver Download  https://www.intel.com/support/chipsets
Driver Update  http://www.aida64.com/goto/?p=drvupdates


Audio Codecs

 
[ Fraunhofer IIS MPEG Layer-3 Codec (decode only) ]
 
ACM Driver Properties:
Driver Description  Fraunhofer IIS MPEG Layer-3 Codec (decode only)
Copyright Notice  Copyright © 1996-1999 Fraunhofer Institut Integrierte Schaltungen IIS
Driver Features  decoder only version
Driver Version  1.09
 
[ Microsoft ADPCM CODEC ]
 
ACM Driver Properties:
Driver Description  Microsoft ADPCM CODEC
Copyright Notice  Copyright (C) 1992-1996 Microsoft Corporation
Driver Features  Compresses and decompresses Microsoft ADPCM audio data.
Driver Version  4.00
 
[ Microsoft CCITT G.711 A-Law and u-Law CODEC ]
 
ACM Driver Properties:
Driver Description  Microsoft CCITT G.711 A-Law and u-Law CODEC
Copyright Notice  Copyright (c) 1993-1996 Microsoft Corporation
Driver Features  Compresses and decompresses CCITT G.711 A-Law and u-Law audio data.
Driver Version  4.00
 
[ Microsoft GSM 6.10 Audio CODEC ]
 
ACM Driver Properties:
Driver Description  Microsoft GSM 6.10 Audio CODEC
Copyright Notice  Copyright (C) 1993-1996 Microsoft Corporation
Driver Features  Compresses and decompresses audio data conforming to the ETSI-GSM (European Telecommunications Standards Institute-Groupe Special Mobile) recommendation 6.10.
Driver Version  4.00
 
[ Microsoft IMA ADPCM CODEC ]
 
ACM Driver Properties:
Driver Description  Microsoft IMA ADPCM CODEC
Copyright Notice  Copyright (C) 1992-1996 Microsoft Corporation
Driver Features  Compresses and decompresses IMA ADPCM audio data.
Driver Version  4.00
 
[ Microsoft PCM Converter ]
 
ACM Driver Properties:
Driver Description  Microsoft PCM Converter
Copyright Notice  Copyright (C) 1992-1996 Microsoft Corporation
Driver Features  Converts frequency and bits per sample of PCM audio data.
Driver Version  5.00


Video Codecs

 
Driver  Version  Description
iccvid.dll  1.10.0.11  Cinepak® Codec
iyuv_32.dll  10.0.18362.1 (WinBuild.160101.0800)  Intel Indeo(R) Video YUV Codec
msrle32.dll  10.0.18362.1 (WinBuild.160101.0800)  Microsoft RLE Compressor
msvidc32.dll  10.0.18362.1 (WinBuild.160101.0800)  Microsoft Video 1 Compressor
msyuv.dll  10.0.18362.1 (WinBuild.160101.0800)  Microsoft UYVY Video Decompressor
tsbyuv.dll  10.0.18362.1 (WinBuild.160101.0800)  Toshiba Video Codec


MCI

 
[ AVIVideo ]
 
MCI Device Properties:
Device  AVIVideo
Name  Video for Windows
Description  Video For Windows MCI driver
Type  Digital Video Device
Driver  mciavi32.dll
Status  Enabled
 
MCI Device Features:
Compound Device  Yes
File Based Device  Yes
Can Eject  No
Can Play  Yes
Can Play In Reverse  Yes
Can Record  No
Can Save Data  No
Can Freeze Data  No
Can Lock Data  No
Can Stretch Frame  Yes
Can Stretch Input  No
Can Test  Yes
Audio Capable  Yes
Video Capable  Yes
Still Image Capable  No
 
[ CDAudio ]
 
MCI Device Properties:
Device  CDAudio
Description  MCI driver for cdaudio devices
Driver  mcicda.dll
Status  Enabled
 
[ MPEGVideo ]
 
MCI Device Properties:
Device  MPEGVideo
Name  DirectShow
Description  DirectShow MCI Driver
Type  Digital Video Device
Driver  mciqtz32.dll
Status  Enabled
 
MCI Device Features:
Compound Device  Yes
File Based Device  Yes
Can Eject  No
Can Play  Yes
Can Play In Reverse  No
Can Record  No
Can Save Data  No
Can Freeze Data  No
Can Lock Data  No
Can Stretch Frame  Yes
Can Stretch Input  No
Can Test  Yes
Audio Capable  Yes
Video Capable  Yes
Still Image Capable  No
 
[ Sequencer ]
 
MCI Device Properties:
Device  Sequencer
Name  MIDI Sequencer
Description  MCI driver for MIDI sequencer
Type  Sequencer Device
Driver  mciseq.dll
Status  Enabled
 
MCI Device Features:
Compound Device  Yes
File Based Device  Yes
Can Eject  No
Can Play  Yes
Can Record  No
Can Save Data  No
Audio Capable  Yes
Video Capable  No
 
[ WaveAudio ]
 
MCI Device Properties:
Device  WaveAudio
Name  Sound
Description  MCI driver for waveform audio
Type  Waveform Audio Device
Driver  mciwave.dll
Status  Enabled
 
MCI Device Features:
Compound Device  Yes
File Based Device  Yes
Can Eject  No
Can Play  Yes
Can Record  Yes
Can Save Data  Yes
Audio Capable  Yes
Video Capable  No


SAPI

 
SAPI Properties:
SAPI4 Version  -
SAPI5 Version  5.3.23118.0
 
Voice (SAPI5):
Name  Microsoft David Desktop - English (United States)
Voice Path  C:\Windows\Speech_OneCore\Engines\TTS\en-US\M1033David
Age  Adult
Gender  Male
Language  English (United States)
Vendor  Microsoft
Version  11.0
DLL File  C:\Windows\SysWOW64\speech_onecore\engines\tts\MSTTSEngine_OneCore.dll (x86)
CLSID  {179F3D56-1B0B-42B2-A962-59B7EF59FE1B}
 
Voice (SAPI5):
Name  Microsoft Huihui Desktop - Chinese (Simplified)
Voice Path  C:\Windows\Speech_OneCore\Engines\TTS\zh-CN\M2052Huihui
Age  Adult
Gender  Female
Language  Chinese (Simplified, China)
Vendor  Microsoft
Version  11.0
DLL File  C:\Windows\SysWOW64\speech_onecore\engines\tts\MSTTSEngine_OneCore.dll (x86)
CLSID  {179F3D56-1B0B-42B2-A962-59B7EF59FE1B}
 
Voice (SAPI5):
Name  Microsoft Zira Desktop - English (United States)
Voice Path  C:\Windows\Speech\Engines\TTS\en-US\M1033ZIR
Age  Adult
Gender  Female
Language  English (United States)
Vendor  Microsoft
Version  11.0
DLL File  C:\Windows\SysWOW64\speech\engines\tts\MSTTSEngine.dll (x86)
CLSID  {C64501F6-E6E6-451f-A150-25D0839BC510}
 
Speech Recognizer (SAPI5):
Name  Microsoft Speech Recognizer 8.0 for Windows (Chinese Simplified - PRC)
Description  Microsoft Speech Recognizer 8.0 for Windows (Chinese Simplified - PRC)
FE Config Data File  C:\Windows\Speech\Engines\SR\zh-CN\c2052dsk.fe
Language  Chinese (Simplified, China)
Speaking Style  Discrete;Continuous
Supported Locales  Chinese (Simplified, China); Chinese (Simplified, Singapore); Chinese (Simplified)
Vendor  Microsoft
Version  8.0
DLL File  C:\Windows\System32\Speech\Engines\SR\spsreng.dll (x64)
CLSID  {DAC9F469-0C67-4643-9258-87EC128C5941}
RecoExtension  {4F4DB904-CA35-4A3A-90AF-C9D8BE7532AC}
 
Speech Recognizer (SAPI5):
Name  Microsoft Speech Recognizer 8.0 for Windows (English - US)
Description  Microsoft Speech Recognizer 8.0 for Windows (English - US)
FE Config Data File  C:\Windows\Speech\Engines\SR\en-US\c1033dsk.fe
Language  English (United States); English
Speaking Style  Discrete;Continuous
Supported Locales  English (United States); English (Canada); English (Philippines); English
Vendor  Microsoft
Version  8.0
DLL File  C:\Windows\System32\Speech\Engines\SR\spsreng.dll (x64)
CLSID  {DAC9F469-0C67-4643-9258-87EC128C5941}
RecoExtension  {4F4DB904-CA35-4A3A-90AF-C9D8BE7532AC}


Windows Storage

 
[ SAMSUNG MZVLB512HAJQ-00000 ]
 
Device Properties:
Driver Description  SAMSUNG MZVLB512HAJQ-00000
Driver Date  6/21/2006
Driver Version  10.0.18362.1
Driver Provider  Microsoft
INF File  disk.inf
INF Section  disk_install.NT
 
[ XPG GAMMIX S11L ]
 
Device Properties:
Driver Description  XPG GAMMIX S11L
Driver Date  6/21/2006
Driver Version  10.0.18362.1
Driver Provider  Microsoft
INF File  disk.inf
INF Section  disk_install.NT
 
[ Microsoft Storage Spaces Controller ]
 
Device Properties:
Driver Description  Microsoft Storage Spaces Controller
Driver Date  6/21/2006
Driver Version  10.0.18362.449
Driver Provider  Microsoft
INF File  spaceport.inf
INF Section  Spaceport_Install
 
[ Standard NVM Express Controller ]
 
Device Properties:
Driver Description  Standard NVM Express Controller
Driver Date  6/21/2006
Driver Version  10.0.18362.693
Driver Provider  Microsoft
INF File  stornvme.inf
INF Section  Stornvme_Inst
 
Device Resources:
IRQ  65536
IRQ  65536
IRQ  65536
IRQ  65536
IRQ  65536
IRQ  65536
IRQ  65536
IRQ  65536
IRQ  65536
Memory  5A300000-5A303FFF
 
[ Standard NVM Express Controller ]
 
Device Properties:
Driver Description  Standard NVM Express Controller
Driver Date  6/21/2006
Driver Version  10.0.18362.693
Driver Provider  Microsoft
INF File  stornvme.inf
INF Section  Stornvme_Inst
 
Device Resources:
IRQ  65536
IRQ  65536
IRQ  65536
IRQ  65536
IRQ  65536
IRQ  65536
IRQ  65536
IRQ  65536
Memory  5A200000-5A203FFF
Memory  5A204000-5A205FFF


Logical Drives

 
Drive  Drive Type  File System  Total Size  Used Space  Free Space  % Free  Volume Serial
C:  Local Disk  NTFS  465953 MB  60356 MB  405597 MB  87 %  9E51-17B5
D: (New Volume)  Local Disk  NTFS  488368 MB  111 MB  488257 MB  100 %  1639-C279


Physical Drives

 
[ Drive #1 - SAMSUNG MZVLB512HAJQ-00000 (476 GB) C: ]
 
Partition  Partition Type  Drive  Start Offset  Partition Length
#1  EFI System    1 MB  260 MB
#2  MS Reserved    261 MB  16 MB
#3  Basic Data  C:  277 MB  465954 MB
#4  MS Recovery    466231 MB  900 MB
#5  MS Recovery    467131 MB  20231 MB
#6  Unknown (GUID: {33EA64D4-386F-4B91-89F7-AF51E9CB40C4})    487362 MB  1024 MB
 
[ Drive #2 - XPG GAMMIX S11L (476 GB) D: ]
 
Partition  Partition Type  Drive  Start Offset  Partition Length
#1  MS Reserved    0 MB  15 MB
#2  Basic Data  D: (New Volume)  16 MB  488369 MB


ASPI

 
Host  ID  LUN  Device Type  Vendor  Model  Rev  Extra Information
00  00  00  Disk Drive  NVMe  SAMSUNG MZVLB512  301Q  
00  07  00  Host Adapter  stornvme      
01  00  00  Disk Drive  NVMe  XPG GAMMIX S11L  2s16  
01  07  00  Host Adapter  stornvme      


ATA

 
[ SAMSUNG MZVLB512HAJQ-00000 (S3W8NX0MB31418) ]
 
NVMe Device Properties:
Model ID  SAMSUNG MZVLB512HAJQ-00000
Serial Number  S3W8NX0MB31418
Revision  EXA7301Q
Device Type  NVMe v1.2.0
Unformatted Capacity  488386 MB
PCI Vendor ID  144Dh (Samsung)
PCI Subsystem Vendor ID  144Dh (Samsung)
IEEE OUI Identifier  38-25-00 (Samsung)
Controller ID  4
Version  66048
Extended Device Self-test Time  35 min
Recommended Arbitration Burst Size  2
Max Data Transfer Size  9
Runtime D3 Resume Latency  100000 us
Runtime D3 Entry Latency  8000000 us
Abort Command Limit  8
Asynchronous Event Request Limit  4
Firmware Slots  3
Max Error Log Page Entries  64
Power States  5
Warning Composite Temperature Threshold  81 °C
Critical Composite Temperature Threshold  82 °C
Total NVM Capacity  488386 MB
Min / Max Submission Queue Entry Size  64 / 64 bytes
Min / Max Completion Queue Entry Size  16 / 16 bytes
Namespaces  1
Atomic Write Unit Normal  1024 blocks
Atomic Write Unit Power Fail  1 blocks
 
NVMe Device Features:
128-bit Host Identifier  Not Supported
ANA Change State Reporting  Not Supported
ANA Inaccessible State Reporting  Not Supported
ANA Non-Optimized State Reporting  Not Supported
ANA Optimized State Reporting  Not Supported
ANA Persistent Loss State Reporting  Not Supported
Asymmetric Namespace Access Reporting  Not Supported
Autonomous Power State Transitions  Supported
Commands Supported Log Page  Supported
Compare & Write Fused Operation  Not Supported
Cryptographic Erase  Not Supported
Directives  Not Supported
Effects Log Page  Supported
Endurance Groups  Not Supported
Firmware Activation Notices  Not Supported
Firmware Activation Without Reset  Supported
First Firmware Slot Read Only  No
Format All Namespaces  Not Supported
Get LBA Status  Not Supported
Get Log Page Extended Data  Not Supported
Host Controlled Thermal Management  Not Supported
Keep Alive  Not Supported
Multiple Controllers  No
Multiple PCIe Ports  No
Namespace Attribute Changed Event  Not Supported
Namespace Granularity  Not Supported
Non-Operational Power State Permissive Mode  Not Supported
NVM Sets  Not Supported
Persistent Event Log  Not Supported
Predictable Latency Mode  Not Supported
Read Recovery Levels  Not Supported
Reservations  Not Supported
Save / Select Fields  Supported
Secure Erase All Namespaces  Not Supported
SGLs  Not Supported
SGL Bit Bucket Descriptor  Not Supported
SGL Byte Aligned Contiguous Physical Buffer of Metadata  Not Supported
SGL Commands Larger Than Data  Not Supported
SMART Information Per Namespace  Supported
SQ Associations  Not Supported
SR-IOV Virtual Function  No
Telemetry Controller-Initiated Log Page  Not Supported
Telemetry Host-Initiated Log Page  Not Supported
Traffic Based Keep Alive  Not Supported
UUID List  Not Supported
Volatile Write Cache  Present
 
NVMe Commands:
Compare  Supported
Dataset Management  Supported
Device Self-test  Supported
Doorbell Buffer Config  Not Supported
Format NVM  Supported
Firmware Commit  Supported
Firmware Image Download  Supported
Namespace Attachment  Not Supported
Namespace Management  Not Supported
NVMe-MI Receive  Not Supported
NVMe-MI Send  Not Supported
Sanitize  Not Supported
Security Receive  Supported
Security Send  Supported
Virtualization Management  Not Supported
Write Uncorrectable  Supported
Write Zeroes  Supported
 
Sanitize Operations:
Block Erase  Not Supported
Crypto Erase  Not Supported
Overwrite  Not Supported
 
SSD Physical Info:
Manufacturer  Samsung
SSD Family  PM981
Form Factor  M.2 2280
Formatted Capacity  512 GB
Controller Type  Samsung Phoenix S4LR020
Flash Memory Type  Samsung 64-layer TLC V-NAND
Physical Dimensions  80 x 22 x 2.38 mm
Max. Weight  9 g
Max. Sequential Read Speed  3000 MB/s
Max. Sequential Write Speed  1800 MB/s
Max. Random 4 KB Read  270000 IOPS
Max. Random 4 KB Write  420000 IOPS
Interface  PCI-E 3.0 x4
Interface Data Rate  4000 MB/s
 
Device Manufacturer:
Company Name  Samsung
Product Information  https://www.samsung.com/us/computing/memory-storage/solid-state-drives
Driver Update  http://www.aida64.com/goto/?p=drvupdates
 
[ XPG GAMMIX S11L (2K0320080318) ]
 
NVMe Device Properties:
Model ID  XPG GAMMIX S11L
Serial Number  2K0320080318
Revision  V9002s16
Device Type  NVMe v1.3.0
Unformatted Capacity  488386 MB
PCI Vendor ID  10ECh (Realtek)
PCI Subsystem Vendor ID  10ECh (Realtek)
IEEE OUI Identifier  4C-E0-00 (Realtek)
Controller ID  1
Version  66304
Recommended Arbitration Burst Size  0
Max Data Transfer Size  5
Runtime D3 Resume Latency  1000000 us
Runtime D3 Entry Latency  2000000 us
Abort Command Limit  1
Asynchronous Event Request Limit  4
Firmware Slots  1
Firmware Update Granularity  4 KB
Max Error Log Page Entries  8
Power States  5
Warning Composite Temperature Threshold  118 °C
Critical Composite Temperature Threshold  150 °C
Max Time For Firmware Activation  2 sec
Host Memory Buffer Preferred Size  65536 KB
Host Memory Buffer Min Size  65536 KB
Min / Max Submission Queue Entry Size  64 / 64 bytes
Min / Max Completion Queue Entry Size  16 / 16 bytes
Namespaces  1
Atomic Write Unit Normal  1 blocks
Atomic Write Unit Power Fail  1 blocks
 
NVMe Device Features:
128-bit Host Identifier  Not Supported
ANA Change State Reporting  Not Supported
ANA Inaccessible State Reporting  Not Supported
ANA Non-Optimized State Reporting  Not Supported
ANA Optimized State Reporting  Not Supported
ANA Persistent Loss State Reporting  Not Supported
Asymmetric Namespace Access Reporting  Not Supported
Autonomous Power State Transitions  Supported
Commands Supported Log Page  Supported
Compare & Write Fused Operation  Not Supported
Cryptographic Erase  Not Supported
Directives  Not Supported
Effects Log Page  Supported
Endurance Groups  Not Supported
Firmware Activation Notices  Not Supported
Firmware Activation Without Reset  Not Supported
First Firmware Slot Read Only  No
Format All Namespaces  Not Supported
Get LBA Status  Not Supported
Get Log Page Extended Data  Not Supported
Host Controlled Thermal Management  Not Supported
Keep Alive  Not Supported
Multiple Controllers  No
Multiple PCIe Ports  No
Namespace Attribute Changed Event  Not Supported
Namespace Granularity  Not Supported
Non-Operational Power State Permissive Mode  Not Supported
NVM Sets  Not Supported
Persistent Event Log  Not Supported
Predictable Latency Mode  Not Supported
Read Recovery Levels  Not Supported
Reservations  Not Supported
Save / Select Fields  Supported
Secure Erase All Namespaces  Not Supported
SGLs  Not Supported
SGL Bit Bucket Descriptor  Not Supported
SGL Byte Aligned Contiguous Physical Buffer of Metadata  Not Supported
SGL Commands Larger Than Data  Not Supported
SMART Information Per Namespace  Supported
SQ Associations  Not Supported
SR-IOV Virtual Function  No
Telemetry Controller-Initiated Log Page  Not Supported
Telemetry Host-Initiated Log Page  Not Supported
Traffic Based Keep Alive  Not Supported
UUID List  Not Supported
Volatile Write Cache  Present
 
NVMe Commands:
Compare  Not Supported
Dataset Management  Supported
Device Self-test  Not Supported
Doorbell Buffer Config  Not Supported
Format NVM  Supported
Firmware Commit  Supported
Firmware Image Download  Supported
Namespace Attachment  Not Supported
Namespace Management  Not Supported
NVMe-MI Receive  Not Supported
NVMe-MI Send  Not Supported
Sanitize  Not Supported
Security Receive  Supported
Security Send  Supported
Virtualization Management  Not Supported
Write Uncorrectable  Not Supported
Write Zeroes  Not Supported
 
Sanitize Operations:
Block Erase  Not Supported
Crypto Erase  Not Supported
Overwrite  Not Supported


SMART

 
[ SAMSUNG MZVLB512HAJQ-00000 (S3W8NX0MB31418) ]
 
ID  Attribute Description  Threshold  Value  Worst  Data  Status
0  Critical Warning        0   OK: Value is normal
1  Temperature        37 °C  OK: Always passes
3  Available Spare        100 %  OK: Always passes
4  Available Spare Threshold        10 %  OK: Always passes
5  Percentage Used        0 %  OK: Value is normal
32  Data Units Read        95.48 GB  OK: Always passes
48  Data Units Written        88.23 GB  OK: Always passes
64  Host Read Commands        1688129   OK: Always passes
80  Host Write Commands        1124934   OK: Always passes
96  Controller Busy Time        5 min  OK: Always passes
112  Power Cycles        14   OK: Always passes
128  Power-On Hours        1   OK: Always passes
144  Unsafe Shutdowns        4   OK: Always passes
160  Media Errors        0   OK: Value is normal
176  Error Information Log Entries        54   OK: Always passes
192  Warning Composite Temperature Time        0 min  OK: Always passes
196  Critical Composite Temperature Time        0 min  OK: Always passes
200  Temperature Sensor 1        37 °C  OK: Always passes
202  Temperature Sensor 2        62 °C  OK: Always passes
 
[ XPG GAMMIX S11L (2K0320080318) ]
 
ID  Attribute Description  Threshold  Value  Worst  Data  Status
0  Critical Warning        0   OK: Value is normal
1  Temperature        29 °C  OK: Always passes
3  Available Spare        100 %  OK: Always passes
4  Available Spare Threshold        32 %  OK: Always passes
5  Percentage Used        0 %  OK: Value is normal
32  Data Units Read        221.02 GB  OK: Always passes
48  Data Units Written        219.14 GB  OK: Always passes
64  Host Read Commands        1909848   OK: Always passes
80  Host Write Commands        1846371   OK: Always passes
96  Controller Busy Time        0 min  OK: Always passes
112  Power Cycles        8   OK: Always passes
128  Power-On Hours        0   OK: Always passes
144  Unsafe Shutdowns        3   OK: Always passes
160  Media Errors        0   OK: Value is normal
176  Error Information Log Entries        0   OK: Always passes
192  Warning Composite Temperature Time        0 min  OK: Always passes
196  Critical Composite Temperature Time        0 min  OK: Always passes


Windows Network

 
[ Intel(R) Wi-Fi 6 AX201 160MHz ]
 
Network Adapter Properties:
Network Adapter  Intel(R) Wi-Fi 6 AX201 160MHz
Interface Type  802.11 Wireless Ethernet
Hardware Address  80-32-53-79-E3-B6
Connection Name  Wi-Fi
Connection Speed  780 Mbps
MTU  1500 bytes
DHCP Lease Obtained  3/18/2020 1:10:49 PM
DHCP Lease Expires  3/18/2020 2:10:49 PM
Bytes Received  160788846 (153.3 MB)
Bytes Sent  8736769 (8.3 MB)
 
Network Adapter Addresses:
IP / Subnet Mask  100.79.143.17 / 255.255.252.0
Gateway  100.79.140.1
DHCP  100.79.140.1
DNS  211.138.151.161
DNS  211.138.156.66
 
WLAN Properties:
Network Type  Infrastructure
SSID  REDBLUE_5G
BSSID  20-76-93-46-00-E4
Authentication Algorithm  WPA2-PSK
Cipher Algorithm  CCMP
Channel  36 (5180 MHz)
Transmit Rate  780 Mbps
Receive Rate  780 Mbps
 
Network Adapter Manufacturer:
Company Name  Intel Corporation
Product Information  https://www.intel.com/content/www/us/en/products/network-io.html
Driver Download  https://www.intel.com/support/network
Driver Update  http://www.aida64.com/goto/?p=drvupdates
 
[ Microsoft Wi-Fi Direct Virtual Adapter #2 ]
 
Network Adapter Properties:
Network Adapter  Microsoft Wi-Fi Direct Virtual Adapter #2
Interface Type  802.11 Wireless Ethernet
Hardware Address  82-32-53-79-E3-B6
Connection Name  Local Area Connection* 2
MTU  1500 bytes
Bytes Received  0
Bytes Sent  0
 
WLAN Properties:
Network Type  Infrastructure
 
[ Microsoft Wi-Fi Direct Virtual Adapter ]
 
Network Adapter Properties:
Network Adapter  Microsoft Wi-Fi Direct Virtual Adapter
Interface Type  802.11 Wireless Ethernet
Hardware Address  80-32-53-79-E3-B7
Connection Name  Local Area Connection* 1
MTU  1500 bytes
Bytes Received  0
Bytes Sent  0
 
[ TAP-Windows Adapter V9 ]
 
Network Adapter Properties:
Network Adapter  TAP-Windows Adapter V9
Interface Type  Ethernet
Hardware Address  00-FF-8B-FA-D8-4E
Connection Name  Ethernet 2
Connection Speed  100 Mbps
MTU  1500 bytes
Bytes Received  0
Bytes Sent  0


PCI / PnP Network

 
Device Description  Type
Intel Ice Point-LP PCH - WiFi Controller  PCI


Internet

 
Internet Settings:
Start Page  http://lg17win10.msn.com/?pc=LGTE
Search Page  http://go.microsoft.com/fwlink/?LinkId=54896
Local Page  %11%\blank.htm
Download Folder  
 
Current Proxy:
Proxy Status  Script: http://127.0.0.1:41090/pac?ezkyYTk4OWJiLTBkZjEtNDhkNy04MDczLWU5NDE1YTM0ZDZlMX0=
 
LAN Proxy:
Proxy Status  Script: http://127.0.0.1:41090/pac?ezkyYTk4OWJiLTBkZjEtNDhkNy04MDczLWU5NDE1YTM0ZDZlMX0=


Routes

 
Type  Net Destination  Netmask  Gateway  Metric  Interface
Active  0.0.0.0  0.0.0.0  100.79.140.1  35  100.79.143.17 (Intel(R) Wi-Fi 6 AX201 160MHz)
Active  100.79.140.0  255.255.252.0  100.79.143.17  291  100.79.143.17 (Intel(R) Wi-Fi 6 AX201 160MHz)
Active  100.79.143.17  255.255.255.255  100.79.143.17  291  100.79.143.17 (Intel(R) Wi-Fi 6 AX201 160MHz)
Active  100.79.143.255  255.255.255.255  100.79.143.17  291  100.79.143.17 (Intel(R) Wi-Fi 6 AX201 160MHz)
Active  127.0.0.0  255.0.0.0  127.0.0.1  331  127.0.0.1 (Software Loopback Interface 1)
Active  127.0.0.1  255.255.255.255  127.0.0.1  331  127.0.0.1 (Software Loopback Interface 1)
Active  127.255.255.255  255.255.255.255  127.0.0.1  331  127.0.0.1 (Software Loopback Interface 1)
Active  224.0.0.0  240.0.0.0  127.0.0.1  331  127.0.0.1 (Software Loopback Interface 1)
Active  224.0.0.0  240.0.0.0  100.79.143.17  291  100.79.143.17 (Intel(R) Wi-Fi 6 AX201 160MHz)
Active  255.255.255.255  255.255.255.255  127.0.0.1  331  127.0.0.1 (Software Loopback Interface 1)
Active  255.255.255.255  255.255.255.255  100.79.143.17  291  100.79.143.17 (Intel(R) Wi-Fi 6 AX201 160MHz)


IE Cookie

 
Last Access  URL
2020-03-18 10:34:59  redblue@bing.com/
2020-03-18 11:13:26  redblue@g.live.com/
2020-03-18 13:21:11  redblue@qq.com/
2020-03-18 13:21:11  redblue@soso.com/


Browser History

 
Last Access  URL
2020-03-18 10:34:10  redblue@ms-settings:network
2020-03-18 10:34:34  redblue@ms-gamingoverlay://kglcheck/
2020-03-18 10:46:28  redblue@file:///C:/Users/redblue/Downloads/Ghelper2.2.1.all.zip
2020-03-18 10:47:06  redblue@file:///C:/Users/redblue/Desktop/ghelper_source
2020-03-18 11:04:03  redblue@file:///C:/Users/redblue/Downloads/Noble%20Scarlet-Hint.zip
2020-03-18 11:04:29  redblue@file:///C:/Users/redblue/Desktop/Noble%20Scarlet-Hint/msyhl.ttc
2020-03-18 11:07:41  redblue@http://www.msftconnecttest.com/redirect
2020-03-18 11:10:21  redblue@file:///C:/Users/redblue/Desktop/Noble%20Scarlet-Hint/msyhsl.ttc
2020-03-18 11:10:45  redblue@file:///C:/Users/redblue/Desktop/Noble%20Scarlet-Hint
2020-03-18 11:20:15  redblue@file:///C:/Users/redblue/Downloads/noMeiryoUI236.zip
2020-03-18 11:26:20  redblue@file:///C:/Users/redblue/Downloads/PAGreen.zip
2020-03-18 11:41:11  redblue@file:///C:/Users/redblue/Downloads
2020-03-18 11:41:11  redblue@file:///C:/Users/redblue/Downloads/font
2020-03-18 11:51:40  redblue@ms-windows-store://collection/?CollectionId=Fonts&ocid=ems.dco.storesearch&ccid=7aee2b8643eb41919726321e61569946<id=searchPromo
2020-03-18 11:56:22  redblue@ms-settings:windowsupdate
2020-03-18 12:11:12  redblue@https://intel.az1.qualtrics.com/jfe/form/SV_bPiSjUuWRzTrM2x
2020-03-18 12:11:44  redblue@ms-settings:videoplayback
2020-03-18 13:10:53  redblue@https://login.live.com/oauth20_desktop.srf?lc=1033
2020-03-18 13:10:53  redblue@https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srf


DirectX Files

 
Name  Version  Type  Language  Size  Date
amstream.dll  10.00.18362.0001  Final Retail  English  76800  3/19/2019 12:46:06 PM
bdaplgin.ax  10.00.18362.0001  Final Retail  English  76288  3/19/2019 12:46:07 PM
d2d1.dll  10.00.18362.0001  Final Retail  English  5195944  3/19/2019 12:45:14 PM
d3d10.dll  10.00.18362.0001  Final Retail  English  1043968  3/19/2019 12:45:24 PM
d3d10_1.dll  10.00.18362.0001  Final Retail  English  147968  3/19/2019 12:45:24 PM
d3d10_1core.dll  10.00.18362.0001  Final Retail  English  34304  3/19/2019 12:45:24 PM
d3d10core.dll  10.00.18362.0001  Final Retail  English  33792  3/19/2019 12:45:24 PM
d3d10level9.dll  10.00.18362.0001  Final Retail  English  329984  3/19/2019 12:45:14 PM
d3d10warp.dll  10.00.18362.0356  Final Retail  English  5848840  12/26/2019 9:40:54 AM
d3d11.dll  10.00.18362.0387  Final Retail  English  1957008  12/26/2019 9:40:54 AM
d3d12.dll  10.00.18362.0329  Final Retail  English  1531656  12/26/2019 9:40:54 AM
d3d8.dll  10.00.18362.0356  Final Retail  English  699904  12/26/2019 9:40:55 AM
d3d8thk.dll  10.00.18362.0387  Final Retail  English  12800  12/26/2019 9:40:55 AM
d3d9.dll  10.00.18362.0387  Final Retail  English  1616784  12/26/2019 9:40:55 AM
d3dim.dll  10.00.18362.0001  Final Retail  English  319488  3/19/2019 12:45:22 PM
d3dim700.dll  10.00.18362.0001  Final Retail  English  385536  3/19/2019 12:45:22 PM
d3dramp.dll  10.00.18362.0001  Final Retail  English  595456  3/19/2019 12:45:22 PM
d3dxof.dll  10.00.18362.0001  Final Retail  English  56832  3/19/2019 12:45:22 PM
ddraw.dll  10.00.18362.0356  Final Retail  English  529408  12/26/2019 9:40:55 AM
ddrawex.dll  10.00.18362.0356  Final Retail  English  41472  12/26/2019 9:40:55 AM
devenum.dll  10.00.18362.0001  Final Retail  English  83088  3/19/2019 12:46:06 PM
dinput.dll  10.00.18362.0001  Final Retail  English  134656  3/19/2019 12:45:59 PM
dinput8.dll  10.00.18362.0001  Final Retail  English  169984  3/19/2019 12:45:59 PM
dmband.dll  10.00.18362.0001  Final Retail  English  33792  3/19/2019 12:45:59 PM
dmcompos.dll  10.00.18362.0001  Final Retail  English  74240  3/19/2019 12:45:59 PM
dmime.dll  10.00.18362.0001  Final Retail  English  198656  3/19/2019 12:45:59 PM
dmloader.dll  10.00.18362.0001  Final Retail  English  41472  3/19/2019 12:45:59 PM
dmscript.dll  10.00.18362.0001  Final Retail  English  97280  3/19/2019 12:45:59 PM
dmstyle.dll  10.00.18362.0001  Final Retail  English  117760  3/19/2019 12:45:59 PM
dmsynth.dll  10.00.18362.0001  Final Retail  English  112128  3/19/2019 12:45:59 PM
dmusic.dll  10.00.18362.0001  Final Retail  English  109056  3/19/2019 12:45:59 PM
dplaysvr.exe  10.00.18362.0001  Final Retail  English  8192  3/19/2019 12:45:59 PM
dplayx.dll  10.00.18362.0001  Final Retail  English  8192  3/19/2019 12:45:59 PM
dpmodemx.dll  10.00.18362.0001  Final Retail  English  8192  3/19/2019 12:45:59 PM
dpnaddr.dll  10.00.18362.0001  Final Retail  English  8192  3/19/2019 12:45:59 PM
dpnathlp.dll  10.00.18362.0001  Final Retail  English  8192  3/19/2019 12:46:00 PM
dpnet.dll  10.00.18362.0001  Final Retail  English  8192  3/19/2019 12:45:59 PM
dpnhpast.dll  10.00.18362.0001  Final Retail  English  8192  3/19/2019 12:45:59 PM
dpnhupnp.dll  10.00.18362.0001  Final Retail  English  8192  3/19/2019 12:45:59 PM
dpnlobby.dll  10.00.18362.0001  Final Retail  English  8192  3/19/2019 12:45:59 PM
dpnsvr.exe  10.00.18362.0001  Final Retail  English  8192  3/19/2019 12:45:59 PM
dpwsockx.dll  10.00.18362.0001  Final Retail  English  8192  3/19/2019 12:45:59 PM
dsdmo.dll  10.00.18362.0001  Final Retail  English  185856  3/19/2019 12:45:07 PM
dsound.dll  10.00.18362.0001  Final Retail  English  490496  3/19/2019 12:45:07 PM
dswave.dll  10.00.18362.0001  Final Retail  English  23040  3/19/2019 12:45:59 PM
dwrite.dll  10.00.18362.0476  Final Retail  English  2576384  12/26/2019 9:40:54 AM
dxdiagn.dll  10.00.18362.0387  Final Retail  English  450560  12/26/2019 9:41:01 AM
dxgi.dll  10.00.18362.0693  Final Retail  English  776488  3/18/2020 11:28:40 AM
dxmasf.dll  12.00.18362.0449  Final Retail  English  5632  12/26/2019 9:41:12 AM
dxtmsft.dll  11.00.18362.0001  Final Retail  English  396800  3/19/2019 12:46:02 PM
dxtrans.dll  11.00.18362.0001  Final Retail  English  266752  3/19/2019 12:46:02 PM
dxva2.dll  10.00.18362.0001  Final Retail  English  106896  3/19/2019 12:45:14 PM
encapi.dll  10.00.18362.0001  Final Retail  English  20992  3/19/2019 12:46:06 PM
gcdef.dll  10.00.18362.0001  Final Retail  English  123904  3/19/2019 12:45:59 PM
iac25_32.ax  2.00.0005.0053  Final Retail  English  197632  3/19/2019 12:46:01 PM
ir41_32.ax  10.00.18362.0001  Final Retail  English  9216  3/19/2019 12:46:01 PM
ir41_qc.dll  10.00.18362.0001  Final Retail  English  8704  3/19/2019 12:46:01 PM
ir41_qcx.dll  10.00.18362.0001  Final Retail  English  8704  3/19/2019 12:46:01 PM
ir50_32.dll  10.00.18362.0001  Final Retail  English  9216  3/19/2019 12:46:01 PM
ir50_qc.dll  10.00.18362.0001  Final Retail  English  9216  3/19/2019 12:46:01 PM
ir50_qcx.dll  10.00.18362.0001  Final Retail  English  9216  3/19/2019 12:46:01 PM
ivfsrc.ax  5.10.0002.0051  Final Retail  English  146944  3/19/2019 12:46:01 PM
joy.cpl  10.00.18362.0001  Final Retail  English  90624  3/19/2019 12:45:59 PM
ksproxy.ax  10.00.18362.0001  Final Retail  English  233472  3/19/2019 12:46:06 PM
kstvtune.ax  10.00.18362.0001  Final Retail  English  89600  3/19/2019 12:46:06 PM
ksuser.dll  10.00.18362.0001  Final Retail  English  20328  3/19/2019 12:45:07 PM
kswdmcap.ax  10.00.18362.0001  Final Retail  English  116224  3/19/2019 12:46:06 PM
ksxbar.ax  10.00.18362.0001  Final Retail  English  53248  3/19/2019 12:46:06 PM
mciqtz32.dll  10.00.18362.0001  Final Retail  English  38400  3/19/2019 12:46:06 PM
mfc40.dll  4.01.0000.6140  Final Retail  English  924944  3/19/2019 12:45:10 PM
mfc42.dll  6.06.8063.0000  Beta Retail  English  1171456  3/19/2019 12:45:10 PM
mpeg2data.ax  10.00.18362.0001  Final Retail  English  75776  3/19/2019 12:46:07 PM
mpg2splt.ax  10.00.18362.0001  Final Retail  English  204800  3/19/2019 12:46:06 PM
msdmo.dll  10.00.18362.0001  Final Retail  English  29104  3/19/2019 12:45:07 PM
msdvbnp.ax  10.00.18362.0001  Final Retail  English  66560  3/19/2019 12:46:07 PM
msvidctl.dll  6.05.18362.0001  Final Retail  English  2202624  3/19/2019 12:46:07 PM
msyuv.dll  10.00.18362.0001  Final Retail  English  23552  3/19/2019 12:46:06 PM
pid.dll  10.00.18362.0001  Final Retail  English  37888  3/19/2019 12:45:59 PM
psisdecd.dll  10.00.18362.0001  Final Retail  English  484352  3/19/2019 12:46:07 PM
psisrndr.ax  10.00.18362.0001  Final Retail  English  79872  3/19/2019 12:46:07 PM
qasf.dll  12.00.18362.0001  Final Retail  English  127488  3/19/2019 12:45:59 PM
qcap.dll  10.00.18362.0001  Final Retail  English  211968  3/19/2019 12:46:06 PM
qdv.dll  10.00.18362.0001  Final Retail  English  291328  3/19/2019 12:46:06 PM
qdvd.dll  10.00.18362.0001  Final Retail  English  555520  3/19/2019 12:46:06 PM
qedit.dll  10.00.18362.0001  Final Retail  English  548864  3/19/2019 12:46:08 PM
qedwipes.dll  10.00.18362.0001  Final Retail  English  2560  3/19/2019 12:46:08 PM
quartz.dll  10.00.18362.0001  Final Retail  English  1466880  3/19/2019 12:46:06 PM
vbisurf.ax  10.00.18362.0001  Final Retail  English  37888  3/19/2019 12:46:07 PM
vfwwdm32.dll  10.00.18362.0001  Final Retail  English  56832  3/19/2019 12:46:06 PM
wsock32.dll  10.00.18362.0001  Final Retail  English  16384  3/19/2019 12:45:12 PM


DirectX Video

 
[ Primary Display Driver ]
 
DirectDraw Device Properties:
DirectDraw Driver Name  display
DirectDraw Driver Description  Primary Display Driver
Hardware Driver  igdumdim32.dll
Hardware Description  Intel(R) Iris(R) Plus Graphics
 
Direct3D Device Properties:
Rendering Bit Depths  8, 16, 32
Z-Buffer Bit Depths  16, 24, 32
Multisample Anti-Aliasing Modes  MSAA 2x, MSAA 4x, MSAA 8x
Min Texture Size  1 x 1
Max Texture Size  8192 x 8192
Unified Shader Version  5.1
DirectX Hardware Support  DirectX v11.1
 
Direct3D Device Features:
Additive Texture Blending  Supported
AGP Texturing  Not Supported
Anisotropic Filtering  Supported
Automatic Mipmap Generation  Supported
Bilinear Filtering  Supported
Compute Shader  Supported
Cubic Environment Mapping  Supported
Cubic Filtering  Not Supported
Decal-Alpha Texture Blending  Supported
Decal Texture Blending  Supported
Directional Lights  Supported
DirectX Texture Compression  Not Supported
DirectX Volumetric Texture Compression  Not Supported
Dithering  Supported
Dot3 Texture Blending  Supported
Double-Precision Floating-Point  Not Supported
Driver Concurrent Creates  Supported
Driver Command Lists  Not Supported
Dynamic Textures  Supported
Edge Anti-Aliasing  Not Supported
Environmental Bump Mapping  Supported
Environmental Bump Mapping + Luminance  Supported
Factor Alpha Blending  Supported
Geometric Hidden-Surface Removal  Not Supported
Geometry Shader  Supported
Guard Band  Supported
Hardware Scene Rasterization  Supported
Hardware Transform & Lighting  Supported
Legacy Depth Bias  Supported
Map On Default Buffers  Supported
Mipmap LOD Bias Adjustments  Supported
Mipmapped Cube Textures  Supported
Mipmapped Volume Textures  Supported
Modulate-Alpha Texture Blending  Supported
Modulate Texture Blending  Supported
Non-Square Textures  Supported
N-Patches  Not Supported
Perspective Texture Correction  Supported
Point Lights  Supported
Point Sampling  Supported
Projective Textures  Supported
Quintic Bezier Curves & B-Splines  Not Supported
Range-Based Fog  Supported
Rectangular & Triangular Patches  Not Supported
Rendering In Windowed Mode  Supported
Runtime Shader Linking  Supported
Scissor Test  Supported
Slope-Scale Based Depth Bias  Supported
Specular Flat Shading  Supported
Specular Gouraud Shading  Supported
Specular Phong Shading  Not Supported
Spherical Mapping  Supported
Spot Lights  Supported
Stencil Buffers  Supported
Sub-Pixel Accuracy  Supported
Subtractive Texture Blending  Supported
Table Fog  Supported
Texture Alpha Blending  Supported
Texture Clamping  Supported
Texture Mirroring  Supported
Texture Transparency  Supported
Texture Wrapping  Supported
Tiled Resources  Supported
Triangle Culling  Not Supported
Trilinear Filtering  Supported
Two-Sided Stencil Test  Supported
Vertex Alpha Blending  Supported
Vertex Fog  Supported
Vertex Tweening  Supported
Volume Textures  Supported
W-Based Fog  Supported
W-Buffering  Not Supported
Z-Based Fog  Supported
Z-Bias  Supported
Z-Test  Supported
 
Supported FourCC Codes:
AI44  Supported
AYUV  Supported
I420  Supported
IA44  Supported
IMC1  Supported
IMC2  Supported
IMC3  Supported
IMC4  Supported
IYUV  Supported
NV11  Supported
NV12  Supported
P010  Supported
P016  Supported
P208  Supported
UYVY  Supported
VYUY  Supported
Y210  Supported
Y216  Supported
Y410  Supported
Y416  Supported
YUY2  Supported
YV12  Supported
YVU9  Supported
YVYU  Supported
 
Video Adapter Manufacturer:
Company Name  Intel Corporation
Product Information  https://www.intel.com/products/chipsets
Driver Download  https://www.intel.com/support/graphics
Driver Update  http://www.aida64.com/goto/?p=drvupdates


DirectX Sound

 
[ Primary Sound Driver ]
 
DirectSound Device Properties:
Device Description  Primary Sound Driver
Driver Module  
Primary Buffers  1
Min / Max Secondary Buffers Sample Rate  100 / 200000 Hz
Primary Buffers Sound Formats  8-bit, 16-bit, Mono, Stereo
Secondary Buffers Sound Formats  8-bit, 16-bit, Mono, Stereo
Total / Free Sound Buffers  1 / 0
Total / Free Static Sound Buffers  1 / 0
Total / Free Streaming Sound Buffers  1 / 0
Total / Free 3D Sound Buffers  0 / 0
Total / Free 3D Static Sound Buffers  0 / 0
Total / Free 3D Streaming Sound Buffers  0 / 0
 
DirectSound Device Features:
Certified Driver  No
Emulated Device  No
Precise Sample Rate  Supported
DirectSound3D  Not Supported
Creative EAX 1.0  Not Supported
Creative EAX 2.0  Not Supported
Creative EAX 3.0  Not Supported
Creative EAX 4.0  Not Supported
Creative EAX 5.0  Not Supported
I3DL2  Not Supported
Sensaura ZoomFX  Not Supported
 
[ Speakers (Synaptics SmartAudio HD) ]
 
DirectSound Device Properties:
Device Description  Speakers (Synaptics SmartAudio HD)
Driver Module  {0.0.0.00000000}.{69594316-5c86-4741-bed9-bc1aaae0d9fd}
Primary Buffers  1
Min / Max Secondary Buffers Sample Rate  100 / 200000 Hz
Primary Buffers Sound Formats  8-bit, 16-bit, Mono, Stereo
Secondary Buffers Sound Formats  8-bit, 16-bit, Mono, Stereo
Total / Free Sound Buffers  1 / 0
Total / Free Static Sound Buffers  1 / 0
Total / Free Streaming Sound Buffers  1 / 0
Total / Free 3D Sound Buffers  0 / 0
Total / Free 3D Static Sound Buffers  0 / 0
Total / Free 3D Streaming Sound Buffers  0 / 0
 
DirectSound Device Features:
Certified Driver  No
Emulated Device  No
Precise Sample Rate  Supported
DirectSound3D  Not Supported
Creative EAX 1.0  Not Supported
Creative EAX 2.0  Not Supported
Creative EAX 3.0  Not Supported
Creative EAX 4.0  Not Supported
Creative EAX 5.0  Not Supported
I3DL2  Not Supported
Sensaura ZoomFX  Not Supported


Windows Devices

 
[ Devices ]
 
Audio inputs and outputs:
Microphone Array (Synaptics SmartAudio HD)  10.0.18362.1
Speakers (Synaptics SmartAudio HD)  10.0.18362.1
 
Batteries:
Microsoft AC Adapter  10.0.18362.1
Microsoft ACPI-Compliant Control Method Battery  10.0.18362.1
 
Biometric devices:
Goodix Fingerprint SPI Device  3.1.100.320
 
Bluetooth:
Intel(R) Wireless Bluetooth(R)  21.40.1.1
 
Cameras:
LG Camera  10.0.18362.693
 
Computer:
ACPI x64-based PC  10.0.18362.1
 
Disk drives:
SAMSUNG MZVLB512HAJQ-00000  10.0.18362.1
XPG GAMMIX S11L  10.0.18362.1
 
Display adapters:
Intel(R) Iris(R) Plus Graphics  26.20.100.7463
 
Firmware:
Device Firmware  10.0.18362.1
Device Firmware  10.0.18362.1
Device Firmware  10.0.18362.1
System Firmware  10.0.18362.1
 
Human Interface Devices:
HID-compliant touch pad  10.0.18362.175
HID-compliant vendor-defined device  10.0.18362.175
HID-compliant wireless radio controls  10.0.18362.175
I2C HID Device  10.0.18362.1
LG Airplane Mode Button  1.0.1806.3001
Microsoft Input Configuration Device  10.0.18362.1
 
Keyboards:
Standard PS/2 Keyboard  10.0.18362.1
 
Mice and other pointing devices:
HID-compliant mouse  10.0.18362.1
 
Monitors:
Generic PnP Monitor  10.0.18362.693
 
Network adapters:
Intel(R) Wi-Fi 6 AX201 160MHz  21.60.2.1
Microsoft Kernel Debug Network Adapter  10.0.18362.1
Microsoft Wi-Fi Direct Virtual Adapter #2  10.0.18362.1
Microsoft Wi-Fi Direct Virtual Adapter  10.0.18362.1
TAP-Windows Adapter V9  9.0.0.21
WAN Miniport (IKEv2)  10.0.18362.1
WAN Miniport (IP)  10.0.18362.1
WAN Miniport (IPv6)  10.0.18362.1
WAN Miniport (L2TP)  10.0.18362.1
WAN Miniport (Network Monitor)  10.0.18362.1
WAN Miniport (PPPOE)  10.0.18362.1
WAN Miniport (PPTP)  10.0.18362.1
WAN Miniport (SSTP)  10.0.18362.1
 
Print queues:
Fax  10.0.18362.1
Microsoft Print to PDF  10.0.18362.1
Microsoft XPS Document Writer  10.0.18362.1
Root Print Queue  10.0.18362.1
 
Processors:
Intel(R) Core(TM) i7-1065G7 CPU @ 1.30GHz  10.0.18362.693
Intel(R) Core(TM) i7-1065G7 CPU @ 1.30GHz  10.0.18362.693
Intel(R) Core(TM) i7-1065G7 CPU @ 1.30GHz  10.0.18362.693
Intel(R) Core(TM) i7-1065G7 CPU @ 1.30GHz  10.0.18362.693
Intel(R) Core(TM) i7-1065G7 CPU @ 1.30GHz  10.0.18362.693
Intel(R) Core(TM) i7-1065G7 CPU @ 1.30GHz  10.0.18362.693
Intel(R) Core(TM) i7-1065G7 CPU @ 1.30GHz  10.0.18362.693
Intel(R) Core(TM) i7-1065G7 CPU @ 1.30GHz  10.0.18362.693
 
Security devices:
Trusted Platform Module 2.0  10.0.18362.693
 
Software components:
DTS APO4x Service Component  1.1.2.0
DTS Audio Effects Component  1.1.2.0
DTS Audio Hardware Support Application  1.4.5.0
Intel(R) Dynamic Application Loader Host Interface  1.34.2019.714
Intel(R) Graphics Command Center  26.20.100.7463
Intel(R) Graphics Control Panel  26.20.100.7463
Intel(R) iCLS Client  1.57.263.0
Intel(R) Management and Security Application Local Management  1927.13.0.1087
Intel(R) Software Guard Extensions Software  2.4.100.51291
LG Platform Manager Service Plus  1.1.1910.101
LG Platform Manager Service  1.1.1910.702
SynaAPO Software Device (HSA)  1.1.51.0
Synaptics Audio Effects Component  1.3.0.0
Thunderbolt(TM) HSA Component  1.41.648.5
 
Software devices:
Bluetooth  10.0.18362.1
Microsoft Device Association Root Enumerator  10.0.18362.1
Microsoft GS Wavetable Synth  10.0.18362.1
Microsoft Radio Device Enumeration Bus  10.0.18362.1
Microsoft RRAS Root Enumerator  10.0.18362.1
Wi-Fi  10.0.18362.1
 
Sound, video and game controllers:
Intel(R) Display Audio  11.1.0.12
Synaptics SmartAudio HD  8.66.98.51
 
Storage controllers:
Microsoft Storage Spaces Controller  10.0.18362.449
Standard NVM Express Controller  10.0.18362.693
Standard NVM Express Controller  10.0.18362.693
 
Storage volumes:
Volume  10.0.18362.1
Volume  10.0.18362.1
Volume  10.0.18362.1
Volume  10.0.18362.1
Volume  10.0.18362.1
Volume  10.0.18362.1
Volume  10.0.18362.1
Volume  10.0.18362.1
 
System devices:
ACPI Lid  10.0.18362.267
ACPI Power Button  10.0.18362.267
ACPI Processor Aggregator  10.0.18362.1
ACPI Sleep Button  10.0.18362.267
ACPI Thermal Zone  10.0.18362.267
Charge Arbitration Driver  10.0.18362.1
Composite Bus Enumerator  10.0.18362.329
High Definition Audio Controller  10.0.18362.693
High precision event timer  10.0.18362.267
I/O LPC Controller (U Premium) - 3482 for Intel(R) 495 Series Chipset Family On-Package Platform Controller Hub  10.1.12.2
Intel(R) Dynamic Tuning Generic Participant  8.6.10401.9906
Intel(R) Dynamic Tuning Generic Participant  8.6.10401.9906
Intel(R) Dynamic Tuning Manager  8.6.10401.9906
Intel(R) Dynamic Tuning PCH ACPI Participant  8.6.10401.9906
Intel(R) Dynamic Tuning Processor Participant  8.6.10401.9906
Intel(R) Management Engine Interface  1910.13.0.1060
Intel(R) PCI Express Root Port #13 - 34B4  10.1.12.2
Intel(R) PCI Express Root Port #9 - 34B0  10.1.12.2
Intel(R) Power Engine Plug-in  10.0.18362.693
Intel(R) Serial IO GPIO Host Controller - INT3455  30.100.1932.6
Intel(R) Serial IO I2C Host Controller - 34E8  30.100.1932.6
Intel(R) Serial IO I2C Host Controller - 34E9  30.100.1932.6
Intel(R) Serial IO SPI Host Controller - 34AB  30.100.1932.6
Intel(R) Serial IO UART Host Controller - 34A8  30.100.1932.6
Intel(R) SMBus - 34A3  10.1.12.2
Intel(R) Software Guard Extensions Device  2.4.100.51228
Intel(R) SPI (flash) Controller - 34A4  10.1.12.2
Microsoft ACPI-Compliant Embedded Controller  10.0.18362.267
Microsoft ACPI-Compliant System  10.0.18362.329
Microsoft Basic Display Driver  10.0.18362.329
Microsoft Basic Render Driver  10.0.18362.329
Microsoft Hyper-V Virtualization Infrastructure Driver  10.0.18362.476
Microsoft System Management BIOS Driver  10.0.18362.1
Microsoft UEFI-Compliant System  10.0.18362.329
Microsoft Virtual Drive Enumerator  10.0.18362.1
Microsoft Windows Management Interface for ACPI  10.0.18362.1
Microsoft Windows Management Interface for ACPI  10.0.18362.1
Microsoft Windows Management Interface for ACPI  10.0.18362.1
Microsoft Windows Management Interface for ACPI  10.0.18362.1
Motherboard resources  10.0.18362.267
Motherboard resources  10.0.18362.267
Motherboard resources  10.0.18362.267
Motherboard resources  10.0.18362.267
Motherboard resources  10.0.18362.267
Motherboard resources  10.0.18362.267
Motherboard resources  10.0.18362.267
Motherboard resources  10.0.18362.267
NDIS Virtual Network Adapter Enumerator  10.0.18362.1
PCI Express Root Complex  10.0.18362.628
PCI Express Root Port  10.0.18362.628
PCI standard host CPU bridge  10.0.18362.267
PCI standard RAM Controller  10.0.18362.267
Platform Manager  1.1.1910.702
Platform Pep  1.0.2001.2101
Plug and Play Software Device Enumerator  10.0.18362.329
Programmable interrupt controller  10.0.18362.267
Remote Desktop Device Redirector Bus  10.0.18362.1
System timer  10.0.18362.267
Thunderbolt(TM) Controller - 8A17  1.41.648.5
UMBus Root Bus Enumerator  10.0.18362.329
Volume Manager  10.0.18362.628
 
Universal Serial Bus controllers:
Intel(R) USB 3.10 eXtensible Host Controller - 1.10 (Microsoft)  10.0.18362.693
Intel(R) USB 3.10 eXtensible Host Controller - 1.10 (Microsoft)  10.0.18362.693
USB Composite Device  10.0.18362.693
USB Root Hub (USB 3.0)  10.0.18362.1
USB Root Hub (USB 3.0)  10.0.18362.1
 
Unknown:
Unknown  
 
[ Audio inputs and outputs / Microphone Array (Synaptics SmartAudio HD) ]
 
Device Properties:
Driver Description  Microphone Array (Synaptics SmartAudio HD)
Driver Date  3/18/2019
Driver Version  10.0.18362.1
Driver Provider  Microsoft
INF File  audioendpoint.inf
INF Section  NO_DRV
Hardware ID  MMDEVAPI\AudioEndpoints
 
[ Audio inputs and outputs / Speakers (Synaptics SmartAudio HD) ]
 
Device Properties:
Driver Description  Speakers (Synaptics SmartAudio HD)
Driver Date  3/18/2019
Driver Version  10.0.18362.1
Driver Provider  Microsoft
INF File  audioendpoint.inf
INF Section  NO_DRV
Hardware ID  MMDEVAPI\AudioEndpoints
 
[ Batteries / Microsoft AC Adapter ]
 
Device Properties:
Driver Description  Microsoft AC Adapter
Driver Date  6/21/2006
Driver Version  10.0.18362.1
Driver Provider  Microsoft
INF File  cmbatt.inf
INF Section  AcAdapter_Inst
Hardware ID  ACPI\VEN_ACPI&DEV_0003
 
Device Manufacturer:
Driver Update  http://www.aida64.com/goto/?p=drvupdates
 
[ Batteries / Microsoft ACPI-Compliant Control Method Battery ]
 
Device Properties:
Driver Description  Microsoft ACPI-Compliant Control Method Battery
Driver Date  6/21/2006
Driver Version  10.0.18362.1
Driver Provider  Microsoft
INF File  cmbatt.inf
INF Section  CmBatt_Inst
Hardware ID  ACPI\VEN_PNP&DEV_0C0A
 
Device Manufacturer:
Driver Update  http://www.aida64.com/goto/?p=drvupdates
 
[ Biometric devices / Goodix Fingerprint SPI Device ]
 
Device Properties:
Driver Description  Goodix Fingerprint SPI Device
Driver Date  9/3/2019
Driver Version  3.1.100.320
Driver Provider  Goodix
INF File  oem30.inf
INF Section  MyDevice_Install.NT
Hardware ID  ACPI\VEN_GXFP&DEV_5A8B
 
Device Resources:
IRQ  1024
 
[ Bluetooth / Intel(R) Wireless Bluetooth(R) ]
 
Device Properties:
Driver Description  Intel(R) Wireless Bluetooth(R)
Driver Date  8/16/2019
Driver Version  21.40.1.1
Driver Provider  Intel Corporation
INF File  oem29.inf
INF Section  ibtusb
Hardware ID  USB\VID_8087&PID_0026&REV_0002
Location Information  Port_#0010.Hub_#0001
 
Device Manufacturer:
Driver Update  http://www.aida64.com/goto/?p=drvupdates
 
[ Cameras / LG Camera ]
 
Device Properties:
Driver Description  LG Camera
Driver Date  6/21/2006
Driver Version  10.0.18362.693
Driver Provider  Microsoft
INF File  usbvideo.inf
INF Section  USBVideo.NT
Hardware ID  USB\VID_0BDA&PID_5641&REV_0011&MI_00
Location Information  0000.0014.0000.002.000.000.000.000.000
 
[ Computer / ACPI x64-based PC ]
 
Device Properties:
Driver Description  ACPI x64-based PC
Driver Date  6/21/2006
Driver Version  10.0.18362.1
Driver Provider  Microsoft
INF File  hal.inf
INF Section  ACPI_AMD64_HAL
Hardware ID  acpiapic
 
[ Disk drives / SAMSUNG MZVLB512HAJQ-00000 ]
 
Device Properties:
Driver Description  SAMSUNG MZVLB512HAJQ-00000
Driver Date  6/21/2006
Driver Version  10.0.18362.1
Driver Provider  Microsoft
INF File  disk.inf
INF Section  disk_install.NT
Hardware ID  SCSI\DiskNVMe____SAMSUNG_MZVLB512301Q
Location Information  Bus Number 0, Target Id 0, LUN 0
 
Device Manufacturer:
Company Name  Samsung
Product Information  https://www.samsung.com/us/computing/memory-storage/solid-state-drives
Driver Update  http://www.aida64.com/goto/?p=drvupdates
 
[ Disk drives / XPG GAMMIX S11L ]
 
Device Properties:
Driver Description  XPG GAMMIX S11L
Driver Date  6/21/2006
Driver Version  10.0.18362.1
Driver Provider  Microsoft
INF File  disk.inf
INF Section  disk_install.NT
Hardware ID  SCSI\DiskNVMe____XPG_GAMMIX_S11L_2s16
Location Information  Bus Number 0, Target Id 0, LUN 0
 
Device Manufacturer:
Driver Update  http://www.aida64.com/goto/?p=drvupdates
 
[ Display adapters / Intel(R) Iris(R) Plus Graphics ]
 
Device Properties:
Driver Description  Intel(R) Iris(R) Plus Graphics
Driver Date  11/6/2019
Driver Version  26.20.100.7463
Driver Provider  Intel Corporation
INF File  oem7.inf
INF Section  iICLD_w10_DS_N
Hardware ID  PCI\VEN_8086&DEV_8A52&SUBSYS_03611854&REV_07
Location Information  PCI bus 0, device 2, function 0
PCI Device  Intel Ice Lake-U GT2 64EU - Integrated Graphics Controller
 
Device Resources:
IRQ  65536
Memory  00000000-0FFFFFFF
Memory  1C000000-1CFFFFFF
Port  2000-203F
 
Video Adapter Manufacturer:
Company Name  Intel Corporation
Product Information  https://www.intel.com/products/chipsets
Driver Download  https://www.intel.com/support/graphics
Driver Update  http://www.aida64.com/goto/?p=drvupdates
 
[ Firmware / Device Firmware ]
 
Device Properties:
Driver Description  Device Firmware
Driver Date  6/21/2006
Driver Version  10.0.18362.1
Driver Provider  Microsoft
INF File  c_firmware.inf
INF Section  FirmwareResource.NT
Hardware ID  UEFI\RES_{2fe2cbfc-b9aa-4a93-ab5b-40173b581c42}&REV_0
 
[ Firmware / Device Firmware ]
 
Device Properties:
Driver Description  Device Firmware
Driver Date  6/21/2006
Driver Version  10.0.18362.1
Driver Provider  Microsoft
INF File  c_firmware.inf
INF Section  FirmwareResource.NT
Hardware ID  UEFI\RES_{7feb1d5d-33f4-48d3-bd11-c4b36b6d0e57}&REV_0
 
[ Firmware / Device Firmware ]
 
Device Properties:
Driver Description  Device Firmware
Driver Date  6/21/2006
Driver Version  10.0.18362.1
Driver Provider  Microsoft
INF File  c_firmware.inf
INF Section  FirmwareResource.NT
Hardware ID  UEFI\RES_{96d4fdcd-1502-424d-9d4c-9b12d2dcae5c}&REV_0
 
[ Firmware / System Firmware ]
 
Device Properties:
Driver Description  System Firmware
Driver Date  6/21/2006
Driver Version  10.0.18362.1
Driver Provider  Microsoft
INF File  c_firmware.inf
INF Section  FirmwareResource.NT
Hardware ID  UEFI\RES_{bf7fc589-0104-4458-9391-b20511efd674}&REV_13CD3C0
 
[ Human Interface Devices / HID-compliant touch pad ]
 
Device Properties:
Driver Description  HID-compliant touch pad
Driver Date  6/21/2006
Driver Version  10.0.18362.175
Driver Provider  Microsoft
INF File  input.inf
INF Section  HID_Raw_Inst.NT
Hardware ID  HID\VEN_ELAN&DEV_0E03&Col03
 
Device Manufacturer:
Driver Update  http://www.aida64.com/goto/?p=drvupdates
 
[ Human Interface Devices / HID-compliant vendor-defined device ]
 
Device Properties:
Driver Description  HID-compliant vendor-defined device
Driver Date  6/21/2006
Driver Version  10.0.18362.175
Driver Provider  Microsoft
INF File  input.inf
INF Section  HID_Raw_Inst.NT
Hardware ID  HID\VEN_ELAN&DEV_0E03&Col02
 
Device Manufacturer:
Driver Update  http://www.aida64.com/goto/?p=drvupdates
 
[ Human Interface Devices / HID-compliant wireless radio controls ]
 
Device Properties:
Driver Description  HID-compliant wireless radio controls
Driver Date  6/21/2006
Driver Version  10.0.18362.175
Driver Provider  Microsoft
INF File  input.inf
INF Section  HID_Raw_Inst.NT
Hardware ID  HID\VEN_LGEX&DEV_0815
 
Device Manufacturer:
Driver Update  http://www.aida64.com/goto/?p=drvupdates
 
[ Human Interface Devices / I2C HID Device ]
 
Device Properties:
Driver Description  I2C HID Device
Driver Date  6/21/2006
Driver Version  10.0.18362.1
Driver Provider  Microsoft
INF File  hidi2c.inf
INF Section  hidi2c_Device.NT
Hardware ID  ACPI\VEN_ELAN&DEV_0E03
 
Device Resources:
IRQ  98
 
Device Manufacturer:
Driver Update  http://www.aida64.com/goto/?p=drvupdates
 
[ Human Interface Devices / LG Airplane Mode Button ]
 
Device Properties:
Driver Description  LG Airplane Mode Button
Driver Date  6/29/2018
Driver Version  1.0.1806.3001
Driver Provider  LG Electronics Inc.
INF File  oem27.inf
INF Section  AirModeBtn.Inst.Win7.NTamd64
Hardware ID  ACPI\VEN_LGEX&DEV_0815
 
Device Manufacturer:
Driver Update  http://www.aida64.com/goto/?p=drvupdates
 
[ Human Interface Devices / Microsoft Input Configuration Device ]
 
Device Properties:
Driver Description  Microsoft Input Configuration Device
Driver Date  6/21/2006
Driver Version  10.0.18362.1
Driver Provider  Microsoft
INF File  mtconfig.inf
INF Section  MTConfigInst.NT
Hardware ID  HID\VEN_ELAN&DEV_0E03&Col04
 
Device Manufacturer:
Driver Update  http://www.aida64.com/goto/?p=drvupdates
 
[ Keyboards / Standard PS/2 Keyboard ]
 
Device Properties:
Driver Description  Standard PS/2 Keyboard
Driver Date  6/21/2006
Driver Version  10.0.18362.1
Driver Provider  Microsoft
INF File  keyboard.inf
INF Section  STANDARD_Inst
Hardware ID  ACPI\VEN_LGEX&DEV_0001
 
Device Resources:
IRQ  01
Port  0060-0060
Port  0064-0064
 
Device Manufacturer:
Driver Update  http://www.aida64.com/goto/?p=drvupdates
 
[ Mice and other pointing devices / HID-compliant mouse ]
 
Device Properties:
Driver Description  HID-compliant mouse
Driver Date  6/21/2006
Driver Version  10.0.18362.1
Driver Provider  Microsoft
INF File  msmouse.inf
INF Section  HID_Mouse_Inst.NT
Hardware ID  HID\VEN_ELAN&DEV_0E03&Col01
 
Device Manufacturer:
Driver Update  http://www.aida64.com/goto/?p=drvupdates
 
[ Monitors / Generic PnP Monitor ]
 
Device Properties:
Driver Description  Generic PnP Monitor
Driver Date  6/21/2006
Driver Version  10.0.18362.693
Driver Provider  Microsoft
INF File  monitor.inf
INF Section  PnPMonitor.Install
Hardware ID  MONITOR\LGD05F8
 
Device Manufacturer:
Driver Update  http://www.aida64.com/goto/?p=drvupdates
 
[ Network adapters / Intel(R) Wi-Fi 6 AX201 160MHz ]
 
Device Properties:
Driver Description  Intel(R) Wi-Fi 6 AX201 160MHz
Driver Date  12/15/2019
Driver Version  21.60.2.1
Driver Provider  Intel
INF File  oem51.inf
INF Section  Install_MPCIEX_GENM2CRF1_201_AX_2x2_HMC_WINT_64_AX
Hardware ID  PCI\VEN_8086&DEV_34F0&SUBSYS_00748086&REV_30
Location Information  PCI bus 0, device 20, function 3
PCI Device  Intel Ice Point-LP PCH - WiFi Controller
 
Device Resources:
IRQ  65536
IRQ  65536
Memory  FFEE8000-FFEEBFFF
 
Network Adapter Manufacturer:
Company Name  Intel Corporation
Product Information  https://www.intel.com/content/www/us/en/products/network-io.html
Driver Download  https://www.intel.com/support/network
Driver Update  http://www.aida64.com/goto/?p=drvupdates
 
[ Network adapters / Microsoft Kernel Debug Network Adapter ]
 
Device Properties:
Driver Description  Microsoft Kernel Debug Network Adapter
Driver Date  6/21/2006
Driver Version  10.0.18362.1
Driver Provider  Microsoft
INF File  kdnic.inf
INF Section  KdNic.ndi
Hardware ID  root\kdnic
 
Device Manufacturer:
Driver Update  http://www.aida64.com/goto/?p=drvupdates
 
[ Network adapters / Microsoft Wi-Fi Direct Virtual Adapter #2 ]
 
Device Properties:
Driver Description  Microsoft Wi-Fi Direct Virtual Adapter #2
Driver Date  6/21/2006
Driver Version  10.0.18362.1
Driver Provider  Microsoft
INF File  netvwifimp.inf
INF Section  vwifimp_wfd.ndi
Hardware ID  {5d624f94-8850-40c3-a3fa-a4fd2080baf3}\vwifimp_wfd
Location Information  VWiFi Bus 0
 
Device Manufacturer:
Driver Update  http://www.aida64.com/goto/?p=drvupdates
 
[ Network adapters / Microsoft Wi-Fi Direct Virtual Adapter ]
 
Device Properties:
Driver Description  Microsoft Wi-Fi Direct Virtual Adapter
Driver Date  6/21/2006
Driver Version  10.0.18362.1
Driver Provider  Microsoft
INF File  netvwifimp.inf
INF Section  vwifimp_wfd.ndi
Hardware ID  {5d624f94-8850-40c3-a3fa-a4fd2080baf3}\vwifimp_wfd
Location Information  VWiFi Bus 0
 
Device Manufacturer:
Driver Update  http://www.aida64.com/goto/?p=drvupdates
 
[ Network adapters / TAP-Windows Adapter V9 ]
 
Device Properties:
Driver Description  TAP-Windows Adapter V9
Driver Date  4/21/2016
Driver Version  9.0.0.21
Driver Provider  TAP-Windows Provider V9
INF File  oem50.inf
INF Section  tap0901.ndi
Hardware ID  tap0901
 
Device Manufacturer:
Driver Update  http://www.aida64.com/goto/?p=drvupdates
 
[ Network adapters / WAN Miniport (IKEv2) ]
 
Device Properties:
Driver Description  WAN Miniport (IKEv2)
Driver Date  6/21/2006
Driver Version  10.0.18362.1
Driver Provider  Microsoft
INF File  netavpna.inf
INF Section  Ndi-Mp-AgileVpn
Hardware ID  ms_agilevpnminiport
 
Device Manufacturer:
Driver Update  http://www.aida64.com/goto/?p=drvupdates
 
[ Network adapters / WAN Miniport (IP) ]
 
Device Properties:
Driver Description  WAN Miniport (IP)
Driver Date  6/21/2006
Driver Version  10.0.18362.1
Driver Provider  Microsoft
INF File  netrasa.inf
INF Section  Ndi-Mp-Ip
Hardware ID  ms_ndiswanip
 
Device Manufacturer:
Driver Update  http://www.aida64.com/goto/?p=drvupdates
 
[ Network adapters / WAN Miniport (IPv6) ]
 
Device Properties:
Driver Description  WAN Miniport (IPv6)
Driver Date  6/21/2006
Driver Version  10.0.18362.1
Driver Provider  Microsoft
INF File  netrasa.inf
INF Section  Ndi-Mp-Ipv6
Hardware ID  ms_ndiswanipv6
 
Device Manufacturer:
Driver Update  http://www.aida64.com/goto/?p=drvupdates
 
[ Network adapters / WAN Miniport (L2TP) ]
 
Device Properties:
Driver Description  WAN Miniport (L2TP)
Driver Date  6/21/2006
Driver Version  10.0.18362.1
Driver Provider  Microsoft
INF File  netrasa.inf
INF Section  Ndi-Mp-L2tp
Hardware ID  ms_l2tpminiport
 
Device Manufacturer:
Driver Update  http://www.aida64.com/goto/?p=drvupdates
 
[ Network adapters / WAN Miniport (Network Monitor) ]
 
Device Properties:
Driver Description  WAN Miniport (Network Monitor)
Driver Date  6/21/2006
Driver Version  10.0.18362.1
Driver Provider  Microsoft
INF File  netrasa.inf
INF Section  Ndi-Mp-Bh
Hardware ID  ms_ndiswanbh
 
Device Manufacturer:
Driver Update  http://www.aida64.com/goto/?p=drvupdates
 
[ Network adapters / WAN Miniport (PPPOE) ]
 
Device Properties:
Driver Description  WAN Miniport (PPPOE)
Driver Date  6/21/2006
Driver Version  10.0.18362.1
Driver Provider  Microsoft
INF File  netrasa.inf
INF Section  Ndi-Mp-Pppoe
Hardware ID  ms_pppoeminiport
 
Device Manufacturer:
Driver Update  http://www.aida64.com/goto/?p=drvupdates
 
[ Network adapters / WAN Miniport (PPTP) ]
 
Device Properties:
Driver Description  WAN Miniport (PPTP)
Driver Date  6/21/2006
Driver Version  10.0.18362.1
Driver Provider  Microsoft
INF File  netrasa.inf
INF Section  Ndi-Mp-Pptp
Hardware ID  ms_pptpminiport
 
Device Manufacturer:
Driver Update  http://www.aida64.com/goto/?p=drvupdates
 
[ Network adapters / WAN Miniport (SSTP) ]
 
Device Properties:
Driver Description  WAN Miniport (SSTP)
Driver Date  6/21/2006
Driver Version  10.0.18362.1
Driver Provider  Microsoft
INF File  netsstpa.inf
INF Section  Ndi-Mp-Sstp
Hardware ID  ms_sstpminiport
 
Device Manufacturer:
Driver Update  http://www.aida64.com/goto/?p=drvupdates
 
[ Print queues / Fax ]
 
Device Properties:
Driver Description  Fax
Driver Date  6/21/2006
Driver Version  10.0.18362.1
Driver Provider  Microsoft
INF File  printqueue.inf
INF Section  NO_DRV_LOCAL
Hardware ID  PRINTENUM\microsoftmicrosoft_s7d14
 
[ Print queues / Microsoft Print to PDF ]
 
Device Properties:
Driver Description  Microsoft Print to PDF
Driver Date  6/21/2006
Driver Version  10.0.18362.1
Driver Provider  Microsoft
INF File  printqueue.inf
INF Section  NO_DRV_LOCAL
Hardware ID  PRINTENUM\{084f01fa-e634-4d77-83ee-074817c03581}
 
[ Print queues / Microsoft XPS Document Writer ]
 
Device Properties:
Driver Description  Microsoft XPS Document Writer
Driver Date  6/21/2006
Driver Version  10.0.18362.1
Driver Provider  Microsoft
INF File  printqueue.inf
INF Section  NO_DRV_LOCAL
Hardware ID  PRINTENUM\{0f4130dd-19c7-7ab6-99a1-980f03b2ee4e}
 
[ Print queues / Root Print Queue ]
 
Device Properties:
Driver Description  Root Print Queue
Driver Date  6/21/2006
Driver Version  10.0.18362.1
Driver Provider  Microsoft
INF File  printqueue.inf
INF Section  NO_DRV_LOCAL
Hardware ID  PRINTENUM\LocalPrintQueue
 
[ Processors / Intel(R) Core(TM) i7-1065G7 CPU @ 1.30GHz ]
 
Device Properties:
Driver Description  Intel(R) Core(TM) i7-1065G7 CPU @ 1.30GHz
Driver Date  4/21/2009
Driver Version  10.0.18362.693
Driver Provider  Microsoft
INF File  cpu.inf
INF Section  IntelPPM_Inst.NT
Hardware ID  ACPI\GenuineIntel_-_Intel64_Family_6_Model_126
 
CPU Manufacturer:
Company Name  Intel Corporation
Product Information  https://ark.intel.com/content/www/us/en/ark/search.html?q=Intel%20Core%20i7-1065G7
Driver Update  http://www.aida64.com/goto/?p=drvupdates
 
[ Processors / Intel(R) Core(TM) i7-1065G7 CPU @ 1.30GHz ]
 
Device Properties:
Driver Description  Intel(R) Core(TM) i7-1065G7 CPU @ 1.30GHz
Driver Date  4/21/2009
Driver Version  10.0.18362.693
Driver Provider  Microsoft
INF File  cpu.inf
INF Section  IntelPPM_Inst.NT
Hardware ID  ACPI\GenuineIntel_-_Intel64_Family_6_Model_126
 
CPU Manufacturer:
Company Name  Intel Corporation
Product Information  https://ark.intel.com/content/www/us/en/ark/search.html?q=Intel%20Core%20i7-1065G7
Driver Update  http://www.aida64.com/goto/?p=drvupdates
 
[ Processors / Intel(R) Core(TM) i7-1065G7 CPU @ 1.30GHz ]
 
Device Properties:
Driver Description  Intel(R) Core(TM) i7-1065G7 CPU @ 1.30GHz
Driver Date  4/21/2009
Driver Version  10.0.18362.693
Driver Provider  Microsoft
INF File  cpu.inf
INF Section  IntelPPM_Inst.NT
Hardware ID  ACPI\GenuineIntel_-_Intel64_Family_6_Model_126
 
CPU Manufacturer:
Company Name  Intel Corporation
Product Information  https://ark.intel.com/content/www/us/en/ark/search.html?q=Intel%20Core%20i7-1065G7
Driver Update  http://www.aida64.com/goto/?p=drvupdates
 
[ Processors / Intel(R) Core(TM) i7-1065G7 CPU @ 1.30GHz ]
 
Device Properties:
Driver Description  Intel(R) Core(TM) i7-1065G7 CPU @ 1.30GHz
Driver Date  4/21/2009
Driver Version  10.0.18362.693
Driver Provider  Microsoft
INF File  cpu.inf
INF Section  IntelPPM_Inst.NT
Hardware ID  ACPI\GenuineIntel_-_Intel64_Family_6_Model_126
 
CPU Manufacturer:
Company Name  Intel Corporation
Product Information  https://ark.intel.com/content/www/us/en/ark/search.html?q=Intel%20Core%20i7-1065G7
Driver Update  http://www.aida64.com/goto/?p=drvupdates
 
[ Processors / Intel(R) Core(TM) i7-1065G7 CPU @ 1.30GHz ]
 
Device Properties:
Driver Description  Intel(R) Core(TM) i7-1065G7 CPU @ 1.30GHz
Driver Date  4/21/2009
Driver Version  10.0.18362.693
Driver Provider  Microsoft
INF File  cpu.inf
INF Section  IntelPPM_Inst.NT
Hardware ID  ACPI\GenuineIntel_-_Intel64_Family_6_Model_126
 
CPU Manufacturer:
Company Name  Intel Corporation
Product Information  https://ark.intel.com/content/www/us/en/ark/search.html?q=Intel%20Core%20i7-1065G7
Driver Update  http://www.aida64.com/goto/?p=drvupdates
 
[ Processors / Intel(R) Core(TM) i7-1065G7 CPU @ 1.30GHz ]
 
Device Properties:
Driver Description  Intel(R) Core(TM) i7-1065G7 CPU @ 1.30GHz
Driver Date  4/21/2009
Driver Version  10.0.18362.693
Driver Provider  Microsoft
INF File  cpu.inf
INF Section  IntelPPM_Inst.NT
Hardware ID  ACPI\GenuineIntel_-_Intel64_Family_6_Model_126
 
CPU Manufacturer:
Company Name  Intel Corporation
Product Information  https://ark.intel.com/content/www/us/en/ark/search.html?q=Intel%20Core%20i7-1065G7
Driver Update  http://www.aida64.com/goto/?p=drvupdates
 
[ Processors / Intel(R) Core(TM) i7-1065G7 CPU @ 1.30GHz ]
 
Device Properties:
Driver Description  Intel(R) Core(TM) i7-1065G7 CPU @ 1.30GHz
Driver Date  4/21/2009
Driver Version  10.0.18362.693
Driver Provider  Microsoft
INF File  cpu.inf
INF Section  IntelPPM_Inst.NT
Hardware ID  ACPI\GenuineIntel_-_Intel64_Family_6_Model_126
 
CPU Manufacturer:
Company Name  Intel Corporation
Product Information  https://ark.intel.com/content/www/us/en/ark/search.html?q=Intel%20Core%20i7-1065G7
Driver Update  http://www.aida64.com/goto/?p=drvupdates
 
[ Processors / Intel(R) Core(TM) i7-1065G7 CPU @ 1.30GHz ]
 
Device Properties:
Driver Description  Intel(R) Core(TM) i7-1065G7 CPU @ 1.30GHz
Driver Date  4/21/2009
Driver Version  10.0.18362.693
Driver Provider  Microsoft
INF File  cpu.inf
INF Section  IntelPPM_Inst.NT
Hardware ID  ACPI\GenuineIntel_-_Intel64_Family_6_Model_126
 
CPU Manufacturer:
Company Name  Intel Corporation
Product Information  https://ark.intel.com/content/www/us/en/ark/search.html?q=Intel%20Core%20i7-1065G7
Driver Update  http://www.aida64.com/goto/?p=drvupdates
 
[ Security devices / Trusted Platform Module 2.0 ]
 
Device Properties:
Driver Description  Trusted Platform Module 2.0
Driver Date  6/21/2006
Driver Version  10.0.18362.693
Driver Provider  Microsoft
INF File  tpm.inf
INF Section  Tpm2BaseInstall
Hardware ID  ACPI\VEN_INTC&DEV_5000
 
Device Resources:
Memory  FED40000-FED44FFF
 
[ Software components / DTS APO4x Service Component ]
 
Device Properties:
Driver Description  DTS APO4x Service Component
Driver Date  7/16/2019
Driver Version  1.1.2.0
Driver Provider  DTS
INF File  oem41.inf
INF Section  DTSService_Installx64
Hardware ID  SWC\VEN_DTSI&HID_DTSIAPO4xSERVICE
 
[ Software components / DTS Audio Effects Component ]
 
Device Properties:
Driver Description  DTS Audio Effects Component
Driver Date  7/16/2019
Driver Version  1.1.2.0
Driver Provider  DTS
INF File  oem40.inf
INF Section  ApoComponent_Install
Hardware ID  SWC\VEN_DTSI&AID_DTSI2
 
[ Software components / DTS Audio Hardware Support Application ]
 
Device Properties:
Driver Description  DTS Audio Hardware Support Application
Driver Date  6/24/2019
Driver Version  1.4.5.0
Driver Provider  DTS
INF File  oem42.inf
INF Section  DTSHSA_ULTRA_Install
Hardware ID  SWC\VEN_DTSI&HID_DTSIULTRA
 
[ Software components / Intel(R) Dynamic Application Loader Host Interface ]
 
Device Properties:
Driver Description  Intel(R) Dynamic Application Loader Host Interface
Driver Date  7/17/2019
Driver Version  1.34.2019.714
Driver Provider  Intel
INF File  oem19.inf
INF Section  DALInstallSection.ntamd64
Hardware ID  SWC\3C4852D6-D47B-4F46-B05E-B5EDC1AA440E
 
[ Software components / Intel(R) Graphics Command Center ]
 
Device Properties:
Driver Description  Intel(R) Graphics Command Center
Driver Date  11/6/2019
Driver Version  26.20.100.7463
Driver Provider  Intel Corporation
INF File  oem9.inf
INF Section  IGCC_Component_Install
Hardware ID  SWC\100.7463_VEN8086_IGCC
 
[ Software components / Intel(R) Graphics Control Panel ]
 
Device Properties:
Driver Description  Intel(R) Graphics Control Panel
Driver Date  11/6/2019
Driver Version  26.20.100.7463
Driver Provider  Intel Corporation
INF File  oem8.inf
INF Section  Igdlh_CUI_Component_Install_Yangra
Hardware ID  SWC\100.7463_VEN8086_GFXUI_Yangra
 
[ Software components / Intel(R) iCLS Client ]
 
Device Properties:
Driver Description  Intel(R) iCLS Client
Driver Date  8/22/2019
Driver Version  1.57.263.0
Driver Provider  Intel
INF File  oem20.inf
INF Section  IclsClientInstallSection.NTamd64
Hardware ID  SWC\PROVIDER_INTEL_COMPONENT_ICLSCLIENT
 
[ Software components / Intel(R) Management and Security Application Local Management ]
 
Device Properties:
Driver Description  Intel(R) Management and Security Application Local Management
Driver Date  7/1/2019
Driver Version  1927.13.0.1087
Driver Provider  Intel
INF File  oem21.inf
INF Section  LMSInstallSection.NTamd64
Hardware ID  SWC\5DCEB103-DD64-403C-A17C-94FC5F917A9C
 
[ Software components / Intel(R) Software Guard Extensions Software ]
 
Device Properties:
Driver Description  Intel(R) Software Guard Extensions Software
Driver Date  7/1/2019
Driver Version  2.4.100.51291
Driver Provider  Intel Corporation
INF File  oem37.inf
INF Section  SGX_PSW.NT
Hardware ID  SWC\VEN_INT&DEV_0E0C
 
[ Software components / LG Platform Manager Service Plus ]
 
Device Properties:
Driver Description  LG Platform Manager Service Plus
Driver Date  10/2/2019
Driver Version  1.1.1910.101
Driver Provider  LG Electronics Inc.
INF File  oem38.inf
INF Section  UWPMgrUserSvc_Install.NT
Hardware ID  SWC\LGEX0820&PID_0002
 
[ Software components / LG Platform Manager Service ]
 
Device Properties:
Driver Description  LG Platform Manager Service
Driver Date  10/7/2019
Driver Version  1.1.1910.702
Driver Provider  LG Electronics Inc.
INF File  oem5.inf
INF Section  PlatMgrUserSvc_Install.NT
Hardware ID  SWC\LGEX0820&PID_0001
 
[ Software components / SynaAPO Software Device (HSA) ]
 
Device Properties:
Driver Description  SynaAPO Software Device (HSA)
Driver Date  9/6/2019
Driver Version  1.1.51.0
Driver Provider  Synaptics
INF File  oem33.inf
INF Section  SynaAPO_SoftwareComponent_Install.NT
Hardware ID  SWC\VEN_14F1&PID_HSA_GenSA2Audio_01
 
[ Software components / Synaptics Audio Effects Component ]
 
Device Properties:
Driver Description  Synaptics Audio Effects Component
Driver Date  1/30/2019
Driver Version  1.3.0.0
Driver Provider  Synaptics
INF File  oem35.inf
INF Section  ApoComponent_Install
Hardware ID  SWC\VEN_14F1&AID_LG00
 
[ Software components / Thunderbolt(TM) HSA Component ]
 
Device Properties:
Driver Description  Thunderbolt(TM) HSA Component
Driver Date  6/12/2019
Driver Version  1.41.648.5
Driver Provider  Intel(R) Corporation
INF File  oem45.inf
INF Section  Thunderbolt_HSA_Install.NT
Hardware ID  SWC\PROVIDER_Intel&&COMPONENT_ThunderboltHSA
 
[ Software devices / Bluetooth ]
 
Device Properties:
Driver Description  Bluetooth
Driver Date  6/21/2006
Driver Version  10.0.18362.1
Driver Provider  Microsoft
INF File  c_swdevice.inf
INF Section  SoftwareDevice
 
[ Software devices / Microsoft Device Association Root Enumerator ]
 
Device Properties:
Driver Description  Microsoft Device Association Root Enumerator
Driver Date  6/21/2006
Driver Version  10.0.18362.1
Driver Provider  Microsoft
INF File  c_swdevice.inf
INF Section  SoftwareDevice
 
[ Software devices / Microsoft GS Wavetable Synth ]
 
Device Properties:
Driver Description  Microsoft GS Wavetable Synth
Driver Date  6/21/2006
Driver Version  10.0.18362.1
Driver Provider  Microsoft
INF File  c_swdevice.inf
INF Section  SoftwareDevice
 
[ Software devices / Microsoft Radio Device Enumeration Bus ]
 
Device Properties:
Driver Description  Microsoft Radio Device Enumeration Bus
Driver Date  6/21/2006
Driver Version  10.0.18362.1
Driver Provider  Microsoft
INF File  c_swdevice.inf
INF Section  SoftwareDevice
 
[ Software devices / Microsoft RRAS Root Enumerator ]
 
Device Properties:
Driver Description  Microsoft RRAS Root Enumerator
Driver Date  6/21/2006
Driver Version  10.0.18362.1
Driver Provider  Microsoft
INF File  c_swdevice.inf
INF Section  SoftwareDevice
 
[ Software devices / Wi-Fi ]
 
Device Properties:
Driver Description  Wi-Fi
Driver Date  6/21/2006
Driver Version  10.0.18362.1
Driver Provider  Microsoft
INF File  c_swdevice.inf
INF Section  SoftwareDevice
 
[ Sound, video and game controllers / Intel(R) Display Audio ]
 
Device Properties:
Driver Description  Intel(R) Display Audio
Driver Date  9/24/2019
Driver Version  11.1.0.12
Driver Provider  Intel(R) Corporation
INF File  oem11.inf
INF Section  IntcAudModel
Hardware ID  HDAUDIO\FUNC_01&VEN_8086&DEV_280F&SUBSYS_80860101&REV_1000
Location Information  Internal High Definition Audio Bus
 
Device Manufacturer:
Driver Update  http://www.aida64.com/goto/?p=drvupdates
 
[ Sound, video and game controllers / Synaptics SmartAudio HD ]
 
Device Properties:
Driver Description  Synaptics SmartAudio HD
Driver Date  8/28/2019
Driver Version  8.66.98.51
Driver Provider  Synaptics
INF File  oem31.inf
INF Section  HdAud2072x4.Array1.NTamd64
Hardware ID  HDAUDIO\FUNC_01&VEN_14F1&DEV_2008&SUBSYS_18540370&REV_1001
Location Information  Internal High Definition Audio Bus
 
Device Manufacturer:
Driver Update  http://www.aida64.com/goto/?p=drvupdates
 
[ Storage controllers / Microsoft Storage Spaces Controller ]
 
Device Properties:
Driver Description  Microsoft Storage Spaces Controller
Driver Date  6/21/2006
Driver Version  10.0.18362.449
Driver Provider  Microsoft
INF File  spaceport.inf
INF Section  Spaceport_Install
Hardware ID  Root\Spaceport
 
Device Manufacturer:
Driver Update  http://www.aida64.com/goto/?p=drvupdates
 
[ Storage controllers / Standard NVM Express Controller ]
 
Device Properties:
Driver Description  Standard NVM Express Controller
Driver Date  6/21/2006
Driver Version  10.0.18362.693
Driver Provider  Microsoft
INF File  stornvme.inf
INF Section  Stornvme_Inst
Hardware ID  PCI\VEN_144D&DEV_A808&SUBSYS_A801144D&REV_00
Location Information  PCI bus 43, device 0, function 0
PCI Device  Samsung NVMe SSD Controller
 
Device Resources:
IRQ  65536
IRQ  65536
IRQ  65536
IRQ  65536
IRQ  65536
IRQ  65536
IRQ  65536
IRQ  65536
IRQ  65536
Memory  5A300000-5A303FFF
 
Device Manufacturer:
Driver Update  http://www.aida64.com/goto/?p=drvupdates
 
[ Storage controllers / Standard NVM Express Controller ]
 
Device Properties:
Driver Description  Standard NVM Express Controller
Driver Date  6/21/2006
Driver Version  10.0.18362.693
Driver Provider  Microsoft
INF File  stornvme.inf
INF Section  Stornvme_Inst
Hardware ID  PCI\VEN_10EC&DEV_5763&SUBSYS_576310EC&REV_01
Location Information  PCI bus 44, device 0, function 0
PCI Device  Realtek RTS5763DL PCIe 3.0 x4 NVMe 1.3 SSD Controller
 
Device Resources:
IRQ  65536
IRQ  65536
IRQ  65536
IRQ  65536
IRQ  65536
IRQ  65536
IRQ  65536
IRQ  65536
Memory  5A200000-5A203FFF
Memory  5A204000-5A205FFF
 
Device Manufacturer:
Driver Update  http://www.aida64.com/goto/?p=drvupdates
 
[ Storage volumes / Volume ]
 
Device Properties:
Driver Description  Volume
Driver Date  6/21/2006
Driver Version  10.0.18362.1
Driver Provider  Microsoft
INF File  volume.inf
INF Section  volume_install.NT
Hardware ID  STORAGE\Volume
 
[ Storage volumes / Volume ]
 
Device Properties:
Driver Description  Volume
Driver Date  6/21/2006
Driver Version  10.0.18362.1
Driver Provider  Microsoft
INF File  volume.inf
INF Section  volume_install.NT
Hardware ID  STORAGE\Volume
 
[ Storage volumes / Volume ]
 
Device Properties:
Driver Description  Volume
Driver Date  6/21/2006
Driver Version  10.0.18362.1
Driver Provider  Microsoft
INF File  volume.inf
INF Section  volume_install.NT
Hardware ID  STORAGE\Volume
 
[ Storage volumes / Volume ]
 
Device Properties:
Driver Description  Volume
Driver Date  6/21/2006
Driver Version  10.0.18362.1
Driver Provider  Microsoft
INF File  volume.inf
INF Section  volume_install.NT
Hardware ID  STORAGE\Volume
 
[ Storage volumes / Volume ]
 
Device Properties:
Driver Description  Volume
Driver Date  6/21/2006
Driver Version  10.0.18362.1
Driver Provider  Microsoft
INF File  volume.inf
INF Section  volume_install.NT
Hardware ID  STORAGE\Volume
 
[ Storage volumes / Volume ]
 
Device Properties:
Driver Description  Volume
Driver Date  6/21/2006
Driver Version  10.0.18362.1
Driver Provider  Microsoft
INF File  volume.inf
INF Section  volume_install.NT
Hardware ID  STORAGE\Volume
 
[ Storage volumes / Volume ]
 
Device Properties:
Driver Description  Volume
Driver Date  6/21/2006
Driver Version  10.0.18362.1
Driver Provider  Microsoft
INF File  volume.inf
INF Section  volume_install.NT
Hardware ID  STORAGE\Volume
 
[ Storage volumes / Volume ]
 
Device Properties:
Driver Description  Volume
Driver Date  6/21/2006
Driver Version  10.0.18362.1
Driver Provider  Microsoft
INF File  volume.inf
INF Section  volume_install.NT
Hardware ID  STORAGE\Volume
 
[ System devices / ACPI Lid ]
 
Device Properties:
Driver Description  ACPI Lid
Driver Date  6/21/2006
Driver Version  10.0.18362.267
Driver Provider  Microsoft
INF File  machine.inf
INF Section  NO_DRV
Hardware ID  ACPI\VEN_PNP&DEV_0C0D
 
[ System devices / ACPI Power Button ]
 
Device Properties:
Driver Description  ACPI Power Button
Driver Date  6/21/2006
Driver Version  10.0.18362.267
Driver Provider  Microsoft
INF File  machine.inf
INF Section  NO_DRV
Hardware ID  ACPI\VEN_PNP&DEV_0C0C
 
[ System devices / ACPI Processor Aggregator ]
 
Device Properties:
Driver Description  ACPI Processor Aggregator
Driver Date  6/21/2006
Driver Version  10.0.18362.1
Driver Provider  Microsoft
INF File  acpipagr.inf
INF Section  PagrInstall
Hardware ID  ACPI\VEN_ACPI&DEV_000C
 
[ System devices / ACPI Sleep Button ]
 
Device Properties:
Driver Description  ACPI Sleep Button
Driver Date  6/21/2006
Driver Version  10.0.18362.267
Driver Provider  Microsoft
INF File  machine.inf
INF Section  NO_DRV
Hardware ID  ACPI\VEN_PNP&DEV_0C0E
 
[ System devices / ACPI Thermal Zone ]
 
Device Properties:
Driver Description  ACPI Thermal Zone
Driver Date  6/21/2006
Driver Version  10.0.18362.267
Driver Provider  Microsoft
INF File  machine.inf
INF Section  NO_DRV
Hardware ID  ACPI\ThermalZone
 
[ System devices / Charge Arbitration Driver ]
 
Device Properties:
Driver Description  Charge Arbitration Driver
Driver Date  6/21/2006
Driver Version  10.0.18362.1
Driver Provider  Microsoft
INF File  ChargeArbitration.inf
INF Section  CAD_Inst.NT
Hardware ID  ROOT\CAD
 
[ System devices / Composite Bus Enumerator ]
 
Device Properties:
Driver Description  Composite Bus Enumerator
Driver Date  6/21/2006
Driver Version  10.0.18362.329
Driver Provider  Microsoft
INF File  compositebus.inf
INF Section  CompositeBus_Device.NT
Hardware ID  ROOT\CompositeBus
 
[ System devices / High Definition Audio Controller ]
 
Device Properties:
Driver Description  High Definition Audio Controller
Driver Date  2/20/2020
Driver Version  10.0.18362.693
Driver Provider  Microsoft
INF File  hdaudbus.inf
INF Section  HDAudio_Device.NT
Hardware ID  PCI\VEN_8086&DEV_34C8&SUBSYS_03611854&REV_30
Location Information  PCI bus 0, device 31, function 3
PCI Device  Intel Ice Point-LP PCH - cAVS (Audio, Voice, Speech)
 
Device Resources:
IRQ  16
Memory  FFEEC000-FFEEFFFF
Memory  FFF00000-FFFFFFFF
 
[ System devices / High precision event timer ]
 
Device Properties:
Driver Description  High precision event timer
Driver Date  6/21/2006
Driver Version  10.0.18362.267
Driver Provider  Microsoft
INF File  machine.inf
INF Section  NO_DRV_HPET
Hardware ID  ACPI\VEN_PNP&DEV_0103
 
[ System devices / I/O LPC Controller (U Premium) - 3482 for Intel(R) 495 Series Chipset Family On-Package Platform Controller Hub ]
 
Device Properties:
Driver Description  I/O LPC Controller (U Premium) - 3482 for Intel(R) 495 Series Chipset Family On-Package Platform Controller Hub
Driver Date  7/18/1968
Driver Version  10.1.12.2
Driver Provider  INTEL
INF File  oem1.inf
INF Section  Needs_MSISADRV
Hardware ID  PCI\VEN_8086&DEV_3482&SUBSYS_03611854&REV_30
Location Information  PCI bus 0, device 31, function 0
PCI Device  Intel Ice Point-LP PCH Premium - eSPI Controller [D0]
 
Chipset Manufacturer:
Company Name  Intel Corporation
Product Information  https://www.intel.com/products/chipsets
Driver Download  https://www.intel.com/support/chipsets
BIOS Upgrades  http://www.aida64.com/goto/?p=biosupdates
Driver Update  http://www.aida64.com/goto/?p=drvupdates
 
[ System devices / Intel(R) Dynamic Tuning Generic Participant ]
 
Device Properties:
Driver Description  Intel(R) Dynamic Tuning Generic Participant
Driver Date  6/14/2019
Driver Version  8.6.10401.9906
Driver Provider  Intel
INF File  oem15.inf
INF Section  DptfAcpi.NTamd64
Hardware ID  ACPI\VEN_INT&DEV_3403
 
[ System devices / Intel(R) Dynamic Tuning Generic Participant ]
 
Device Properties:
Driver Description  Intel(R) Dynamic Tuning Generic Participant
Driver Date  6/14/2019
Driver Version  8.6.10401.9906
Driver Provider  Intel
INF File  oem15.inf
INF Section  DptfAcpi.NTamd64
Hardware ID  ACPI\VEN_INT&DEV_3403
 
[ System devices / Intel(R) Dynamic Tuning Manager ]
 
Device Properties:
Driver Description  Intel(R) Dynamic Tuning Manager
Driver Date  6/14/2019
Driver Version  8.6.10401.9906
Driver Provider  Intel
INF File  oem15.inf
INF Section  DptfAcpi.NTamd64
Hardware ID  ACPI\VEN_INT&DEV_3400
 
[ System devices / Intel(R) Dynamic Tuning PCH ACPI Participant ]
 
Device Properties:
Driver Description  Intel(R) Dynamic Tuning PCH ACPI Participant
Driver Date  6/14/2019
Driver Version  8.6.10401.9906
Driver Provider  Intel
INF File  oem15.inf
INF Section  DptfAcpi.NTamd64
Hardware ID  ACPI\VEN_INT&DEV_3405
 
[ System devices / Intel(R) Dynamic Tuning Processor Participant ]
 
Device Properties:
Driver Description  Intel(R) Dynamic Tuning Processor Participant
Driver Date  6/14/2019
Driver Version  8.6.10401.9906
Driver Provider  Intel
INF File  oem16.inf
INF Section  EsifManager10.0.NTamd64
Hardware ID  PCI\VEN_8086&DEV_8A03&SUBSYS_03611854&REV_03
Location Information  PCI bus 0, device 4, function 0
PCI Device  Intel Ice Lake - Dynamic Platform & Thermal Framework Processor Participant
 
Device Resources:
IRQ  16
Memory  FFED0000-FFEDFFFF
 
[ System devices / Intel(R) Management Engine Interface ]
 
Device Properties:
Driver Description  Intel(R) Management Engine Interface
Driver Date  3/4/2019
Driver Version  1910.13.0.1060
Driver Provider  Intel
INF File  oem17.inf
INF Section  TEE_DDI_W10_x64
Hardware ID  PCI\VEN_8086&DEV_34E0&SUBSYS_03611854&REV_30
Location Information  PCI bus 0, device 22, function 0
PCI Device  Intel Ice Point-LP PCH - HECI Controller 1
 
Device Resources:
IRQ  65536
Memory  FFEE5000-FFEE5FFF
 
Chipset Manufacturer:
Company Name  Intel Corporation
Product Information  https://www.intel.com/products/chipsets
Driver Download  https://www.intel.com/support/chipsets
BIOS Upgrades  http://www.aida64.com/goto/?p=biosupdates
Driver Update  http://www.aida64.com/goto/?p=drvupdates
 
[ System devices / Intel(R) PCI Express Root Port #13 - 34B4 ]
 
Device Properties:
Driver Description  Intel(R) PCI Express Root Port #13 - 34B4
Driver Date  7/18/1968
Driver Version  10.1.12.2
Driver Provider  INTEL
INF File  oem1.inf
INF Section  Needs_PCI_DRV
Hardware ID  PCI\VEN_8086&DEV_34B4&SUBSYS_03611854&REV_30
Location Information  PCI bus 0, device 29, function 4
PCI Device  Intel Ice Point-LP PCH - PCI Express Root Port 13
 
Device Resources:
IRQ  131071
Memory  5A200000-5A2FFFFF
 
Chipset Manufacturer:
Company Name  Intel Corporation
Product Information  https://www.intel.com/products/chipsets
Driver Download  https://www.intel.com/support/chipsets
BIOS Upgrades  http://www.aida64.com/goto/?p=biosupdates
Driver Update  http://www.aida64.com/goto/?p=drvupdates
 
[ System devices / Intel(R) PCI Express Root Port #9 - 34B0 ]
 
Device Properties:
Driver Description  Intel(R) PCI Express Root Port #9 - 34B0
Driver Date  7/18/1968
Driver Version  10.1.12.2
Driver Provider  INTEL
INF File  oem1.inf
INF Section  Needs_PCI_DRV
Hardware ID  PCI\VEN_8086&DEV_34B0&SUBSYS_03611854&REV_30
Location Information  PCI bus 0, device 29, function 0
PCI Device  Intel Ice Point-LP PCH - PCI Express Root Port 9
 
Device Resources:
IRQ  131071
Memory  5A300000-5A3FFFFF
 
Chipset Manufacturer:
Company Name  Intel Corporation
Product Information  https://www.intel.com/products/chipsets
Driver Download  https://www.intel.com/support/chipsets
BIOS Upgrades  http://www.aida64.com/goto/?p=biosupdates
Driver Update  http://www.aida64.com/goto/?p=drvupdates
 
[ System devices / Intel(R) Power Engine Plug-in ]
 
Device Properties:
Driver Description  Intel(R) Power Engine Plug-in
Driver Date  6/21/2006
Driver Version  10.0.18362.693
Driver Provider  Microsoft
INF File  intelpep.inf
INF Section  HSWULT
Hardware ID  ACPI\VEN_INT&DEV_33A1
 
[ System devices / Intel(R) Serial IO GPIO Host Controller - INT3455 ]
 
Device Properties:
Driver Description  Intel(R) Serial IO GPIO Host Controller - INT3455
Driver Date  8/8/2019
Driver Version  30.100.1932.6
Driver Provider  Intel Corporation
INF File  oem22.inf
INF Section  iaLPSS2_GPIO2_Device.NT
Hardware ID  ACPI\VEN_INT&DEV_3455
 
Device Resources:
IRQ  14
Memory  FD690000-FD69FFFF
Memory  FD6A0000-FD6AFFFF
Memory  FD6D0000-FD6DFFFF
Memory  FD6E0000-FD6EFFFF
 
[ System devices / Intel(R) Serial IO I2C Host Controller - 34E8 ]
 
Device Properties:
Driver Description  Intel(R) Serial IO I2C Host Controller - 34E8
Driver Date  8/8/2019
Driver Version  30.100.1932.6
Driver Provider  Intel Corporation
INF File  oem23.inf
INF Section  iaLPSS2_I2C_Device.NT
Hardware ID  PCI\VEN_8086&DEV_34E8&SUBSYS_03611854&REV_30
Location Information  PCI bus 0, device 21, function 0
PCI Device  Intel Ice Point-LP PCH - I2C Controller 0
 
Device Resources:
IRQ  16
Memory  FFEE4000-FFEE4FFF
 
[ System devices / Intel(R) Serial IO I2C Host Controller - 34E9 ]
 
Device Properties:
Driver Description  Intel(R) Serial IO I2C Host Controller - 34E9
Driver Date  8/8/2019
Driver Version  30.100.1932.6
Driver Provider  Intel Corporation
INF File  oem23.inf
INF Section  iaLPSS2_I2C_Device.NT
Hardware ID  PCI\VEN_8086&DEV_34E9&SUBSYS_03611854&REV_30
Location Information  PCI bus 0, device 21, function 1
PCI Device  Intel Ice Point-LP PCH - I2C Controller 1
 
Device Resources:
IRQ  17
Memory  FFEE3000-FFEE3FFF
 
[ System devices / Intel(R) Serial IO SPI Host Controller - 34AB ]
 
Device Properties:
Driver Description  Intel(R) Serial IO SPI Host Controller - 34AB
Driver Date  8/8/2019
Driver Version  30.100.1932.6
Driver Provider  Intel Corporation
INF File  oem24.inf
INF Section  iaLPSS2_SPI_Device.NT
Hardware ID  PCI\VEN_8086&DEV_34AB&SUBSYS_03611854&REV_30
Location Information  PCI bus 0, device 30, function 3
PCI Device  Intel Ice Point-LP PCH - GSPI Controller 1
 
Device Resources:
IRQ  23
Memory  FFEE7000-FFEE7FFF
 
[ System devices / Intel(R) Serial IO UART Host Controller - 34A8 ]
 
Device Properties:
Driver Description  Intel(R) Serial IO UART Host Controller - 34A8
Driver Date  8/8/2019
Driver Version  30.100.1932.6
Driver Provider  Intel Corporation
INF File  oem25.inf
INF Section  iaLPSS2_UART2_Inst.NT
Hardware ID  PCI\VEN_8086&DEV_34A8&SUBSYS_03611854&REV_30
Location Information  PCI bus 0, device 30, function 0
PCI Device  Intel Ice Point-LP PCH - UART Controller 0
 
Device Resources:
IRQ  20
Memory  FFEE6000-FFEE6FFF
 
[ System devices / Intel(R) SMBus - 34A3 ]
 
Device Properties:
Driver Description  Intel(R) SMBus - 34A3
Driver Date  7/18/1968
Driver Version  10.1.12.2
Driver Provider  INTEL
INF File  oem1.inf
INF Section  Needs_NO_DRV
Hardware ID  PCI\VEN_8086&DEV_34A3&SUBSYS_03611854&REV_30
Location Information  PCI bus 0, device 31, function 4
PCI Device  Intel Ice Point-LP PCH - SMBus Controller
 
[ System devices / Intel(R) Software Guard Extensions Device ]
 
Device Properties:
Driver Description  Intel(R) Software Guard Extensions Device
Driver Date  6/27/2019
Driver Version  2.4.100.51228
Driver Provider  Intel Corporation
INF File  oem36.inf
INF Section  SGXPSW_Device.NT
Hardware ID  ACPI\VEN_INT&DEV_0E0C
 
Device Resources:
Memory  400C0000-45D7FFFF
 
[ System devices / Intel(R) SPI (flash) Controller - 34A4 ]
 
Device Properties:
Driver Description  Intel(R) SPI (flash) Controller - 34A4
Driver Date  7/18/1968
Driver Version  10.1.12.2
Driver Provider  INTEL
INF File  oem1.inf
INF Section  Needs_NO_DRV
Hardware ID  PCI\VEN_8086&DEV_34A4&SUBSYS_03611854&REV_30
Location Information  PCI bus 0, device 31, function 5
PCI Device  Intel Ice Point-LP PCH - SPI (Flash) Controller
 
[ System devices / Microsoft ACPI-Compliant Embedded Controller ]
 
Device Properties:
Driver Description  Microsoft ACPI-Compliant Embedded Controller
Driver Date  6/21/2006
Driver Version  10.0.18362.267
Driver Provider  Microsoft
INF File  machine.inf
INF Section  NO_DRV
Hardware ID  ACPI\VEN_PNP&DEV_0C09
 
Device Resources:
Port  0062-0062
Port  0066-0066
 
[ System devices / Microsoft ACPI-Compliant System ]
 
Device Properties:
Driver Description  Microsoft ACPI-Compliant System
Driver Date  6/21/2006
Driver Version  10.0.18362.329
Driver Provider  Microsoft
INF File  acpi.inf
INF Section  ACPI_Inst.NT
Hardware ID  ACPI_HAL\PNP0C08
PnP Device  ACPI Driver/BIOS
 
Device Resources:
IRQ  100
IRQ  101
IRQ  102
IRQ  103
IRQ  104
IRQ  105
IRQ  106
IRQ  107
IRQ  108
IRQ  109
IRQ  110
IRQ  111
IRQ  112
IRQ  113
IRQ  114
IRQ  115
IRQ  116
IRQ  117
IRQ  118
IRQ  119
IRQ  120
IRQ  121
IRQ  122
IRQ  123
IRQ  124
IRQ  125
IRQ  126
IRQ  127
IRQ  128
IRQ  129
IRQ  130
IRQ  131
IRQ  132
IRQ  133
IRQ  134
IRQ  135
IRQ  136
IRQ  137
IRQ  138
IRQ  139
IRQ  140
IRQ  141
IRQ  142
IRQ  143
IRQ  144
IRQ  145
IRQ  146
IRQ  147
IRQ  148
IRQ  149
IRQ  150
IRQ  151
IRQ  152
IRQ  153
IRQ  154
IRQ  155
IRQ  156
IRQ  157
IRQ  158
IRQ  159
IRQ  160
IRQ  161
IRQ  162
IRQ  163
IRQ  164
IRQ  165
IRQ  166
IRQ  167
IRQ  168
IRQ  169
IRQ  170
IRQ  171
IRQ  172
IRQ  173
IRQ  174
IRQ  175
IRQ  176
IRQ  177
IRQ  178
IRQ  179
IRQ  180
IRQ  181
IRQ  182
IRQ  183
IRQ  184
IRQ  185
IRQ  186
IRQ  187
IRQ  188
IRQ  189
IRQ  190
IRQ  191
IRQ  192
IRQ  193
IRQ  194
IRQ  195
IRQ  196
IRQ  197
IRQ  198
IRQ  199
IRQ  200
IRQ  201
IRQ  202
IRQ  203
IRQ  204
IRQ  256
IRQ  257
IRQ  258
IRQ  259
IRQ  260
IRQ  261
IRQ  262
IRQ  263
IRQ  264
IRQ  265
IRQ  266
IRQ  267
IRQ  268
IRQ  269
IRQ  270
IRQ  271
IRQ  272
IRQ  273
IRQ  274
IRQ  275
IRQ  276
IRQ  277
IRQ  278
IRQ  279
IRQ  280
IRQ  281
IRQ  282
IRQ  283
IRQ  284
IRQ  285
IRQ  286
IRQ  287
IRQ  288
IRQ  289
IRQ  290
IRQ  291
IRQ  292
IRQ  293
IRQ  294
IRQ  295
IRQ  296
IRQ  297
IRQ  298
IRQ  299
IRQ  300
IRQ  301
IRQ  302
IRQ  303
IRQ  304
IRQ  305
IRQ  306
IRQ  307
IRQ  308
IRQ  309
IRQ  310
IRQ  311
IRQ  312
IRQ  313
IRQ  314
IRQ  315
IRQ  316
IRQ  317
IRQ  318
IRQ  319
IRQ  320
IRQ  321
IRQ  322
IRQ  323
IRQ  324
IRQ  325
IRQ  326
IRQ  327
IRQ  328
IRQ  329
IRQ  330
IRQ  331
IRQ  332
IRQ  333
IRQ  334
IRQ  335
IRQ  336
IRQ  337
IRQ  338
IRQ  339
IRQ  340
IRQ  341
IRQ  342
IRQ  343
IRQ  344
IRQ  345
IRQ  346
IRQ  347
IRQ  348
IRQ  349
IRQ  350
IRQ  351
IRQ  352
IRQ  353
IRQ  354
IRQ  355
IRQ  356
IRQ  357
IRQ  358
IRQ  359
IRQ  360
IRQ  361
IRQ  362
IRQ  363
IRQ  364
IRQ  365
IRQ  366
IRQ  367
IRQ  368
IRQ  369
IRQ  370
IRQ  371
IRQ  372
IRQ  373
IRQ  374
IRQ  375
IRQ  376
IRQ  377
IRQ  378
IRQ  379
IRQ  380
IRQ  381
IRQ  382
IRQ  383
IRQ  384
IRQ  385
IRQ  386
IRQ  387
IRQ  388
IRQ  389
IRQ  390
IRQ  391
IRQ  392
IRQ  393
IRQ  394
IRQ  395
IRQ  396
IRQ  397
IRQ  398
IRQ  399
IRQ  400
IRQ  401
IRQ  402
IRQ  403
IRQ  404
IRQ  405
IRQ  406
IRQ  407
IRQ  408
IRQ  409
IRQ  410
IRQ  411
IRQ  412
IRQ  413
IRQ  414
IRQ  415
IRQ  416
IRQ  417
IRQ  418
IRQ  419
IRQ  420
IRQ  421
IRQ  422
IRQ  423
IRQ  424
IRQ  425
IRQ  426
IRQ  427
IRQ  428
IRQ  429
IRQ  430
IRQ  431
IRQ  432
IRQ  433
IRQ  434
IRQ  435
IRQ  436
IRQ  437
IRQ  438
IRQ  439
IRQ  440
IRQ  441
IRQ  442
IRQ  443
IRQ  444
IRQ  445
IRQ  446
IRQ  447
IRQ  448
IRQ  449
IRQ  450
IRQ  451
IRQ  452
IRQ  453
IRQ  454
IRQ  455
IRQ  456
IRQ  457
IRQ  458
IRQ  459
IRQ  460
IRQ  461
IRQ  462
IRQ  463
IRQ  464
IRQ  465
IRQ  466
IRQ  467
IRQ  468
IRQ  469
IRQ  470
IRQ  471
IRQ  472
IRQ  473
IRQ  474
IRQ  475
IRQ  476
IRQ  477
IRQ  478
IRQ  479
IRQ  480
IRQ  481
IRQ  482
IRQ  483
IRQ  484
IRQ  485
IRQ  486
IRQ  487
IRQ  488
IRQ  489
IRQ  490
IRQ  491
IRQ  492
IRQ  493
IRQ  494
IRQ  495
IRQ  496
IRQ  497
IRQ  498
IRQ  499
IRQ  500
IRQ  501
IRQ  502
IRQ  503
IRQ  504
IRQ  505
IRQ  506
IRQ  507
IRQ  508
IRQ  509
IRQ  510
IRQ  511
IRQ  55
IRQ  56
IRQ  57
IRQ  58
IRQ  59
IRQ  60
IRQ  61
IRQ  62
IRQ  63
IRQ  64
IRQ  65
IRQ  66
IRQ  67
IRQ  68
IRQ  69
IRQ  70
IRQ  71
IRQ  72
IRQ  73
IRQ  74
IRQ  75
IRQ  76
IRQ  77
IRQ  78
IRQ  79
IRQ  80
IRQ  81
IRQ  82
IRQ  83
IRQ  84
IRQ  85
IRQ  86
IRQ  87
IRQ  88
IRQ  89
IRQ  90
IRQ  91
IRQ  92
IRQ  93
IRQ  94
IRQ  95
IRQ  96
IRQ  97
IRQ  98
IRQ  99
 
[ System devices / Microsoft Basic Display Driver ]
 
Device Properties:
Driver Description  Microsoft Basic Display Driver
Driver Date  6/21/2006
Driver Version  10.0.18362.329
Driver Provider  Microsoft
INF File  basicdisplay.inf
INF Section  MSBDD_Fallback
Hardware ID  ROOT\BasicDisplay
 
[ System devices / Microsoft Basic Render Driver ]
 
Device Properties:
Driver Description  Microsoft Basic Render Driver
Driver Date  6/21/2006
Driver Version  10.0.18362.329
Driver Provider  Microsoft
INF File  basicrender.inf
INF Section  BasicRender
Hardware ID  ROOT\BasicRender
 
[ System devices / Microsoft Hyper-V Virtualization Infrastructure Driver ]
 
Device Properties:
Driver Description  Microsoft Hyper-V Virtualization Infrastructure Driver
Driver Date  6/21/2006
Driver Version  10.0.18362.476
Driver Provider  Microsoft
INF File  wvid.inf
INF Section  Vid_Device_Client.NT
Hardware ID  ROOT\VID
 
[ System devices / Microsoft System Management BIOS Driver ]
 
Device Properties:
Driver Description  Microsoft System Management BIOS Driver
Driver Date  6/21/2006
Driver Version  10.0.18362.1
Driver Provider  Microsoft
INF File  mssmbios.inf
INF Section  MSSMBIOS_DRV
Hardware ID  ROOT\mssmbios
 
[ System devices / Microsoft UEFI-Compliant System ]
 
Device Properties:
Driver Description  Microsoft UEFI-Compliant System
Driver Date  6/21/2006
Driver Version  10.0.18362.329
Driver Provider  Microsoft
INF File  uefi.inf
INF Section  UEFI_Inst.NT
Hardware ID  ACPI_HAL\UEFI
 
[ System devices / Microsoft Virtual Drive Enumerator ]
 
Device Properties:
Driver Description  Microsoft Virtual Drive Enumerator
Driver Date  6/21/2006
Driver Version  10.0.18362.1
Driver Provider  Microsoft
INF File  vdrvroot.inf
INF Section  VDRVROOT
Hardware ID  ROOT\vdrvroot
 
[ System devices / Microsoft Windows Management Interface for ACPI ]
 
Device Properties:
Driver Description  Microsoft Windows Management Interface for ACPI
Driver Date  6/21/2006
Driver Version  10.0.18362.1
Driver Provider  Microsoft
INF File  wmiacpi.inf
INF Section  WMIMAP_Inst.NT
Hardware ID  ACPI\VEN_PNP&DEV_0C14
 
[ System devices / Microsoft Windows Management Interface for ACPI ]
 
Device Properties:
Driver Description  Microsoft Windows Management Interface for ACPI
Driver Date  6/21/2006
Driver Version  10.0.18362.1
Driver Provider  Microsoft
INF File  wmiacpi.inf
INF Section  WMIMAP_Inst.NT
Hardware ID  ACPI\VEN_PNP&DEV_0C14
 
[ System devices / Microsoft Windows Management Interface for ACPI ]
 
Device Properties:
Driver Description  Microsoft Windows Management Interface for ACPI
Driver Date  6/21/2006
Driver Version  10.0.18362.1
Driver Provider  Microsoft
INF File  wmiacpi.inf
INF Section  WMIMAP_Inst.NT
Hardware ID  ACPI\VEN_PNP&DEV_0C14
 
[ System devices / Microsoft Windows Management Interface for ACPI ]
 
Device Properties:
Driver Description  Microsoft Windows Management Interface for ACPI
Driver Date  6/21/2006
Driver Version  10.0.18362.1
Driver Provider  Microsoft
INF File  wmiacpi.inf
INF Section  WMIMAP_Inst.NT
Hardware ID  ACPI\VEN_PNP&DEV_0C14
 
[ System devices / Motherboard resources ]
 
Device Properties:
Driver Description  Motherboard resources
Driver Date  6/21/2006
Driver Version  10.0.18362.267
Driver Provider  Microsoft
INF File  machine.inf
INF Section  NO_DRV_MBRES
Hardware ID  ACPI\VEN_PNP&DEV_0C02
 
[ System devices / Motherboard resources ]
 
Device Properties:
Driver Description  Motherboard resources
Driver Date  6/21/2006
Driver Version  10.0.18362.267
Driver Provider  Microsoft
INF File  machine.inf
INF Section  NO_DRV_MBRES
Hardware ID  ACPI\VEN_PNP&DEV_0C02
 
[ System devices / Motherboard resources ]
 
Device Properties:
Driver Description  Motherboard resources
Driver Date  6/21/2006
Driver Version  10.0.18362.267
Driver Provider  Microsoft
INF File  machine.inf
INF Section  NO_DRV_MBRES
Hardware ID  ACPI\VEN_PNP&DEV_0C02
 
[ System devices / Motherboard resources ]
 
Device Properties:
Driver Description  Motherboard resources
Driver Date  6/21/2006
Driver Version  10.0.18362.267
Driver Provider  Microsoft
INF File  machine.inf
INF Section  NO_DRV_MBRES
Hardware ID  ACPI\VEN_INT&DEV_340E
 
[ System devices / Motherboard resources ]
 
Device Properties:
Driver Description  Motherboard resources
Driver Date  6/21/2006
Driver Version  10.0.18362.267
Driver Provider  Microsoft
INF File  machine.inf
INF Section  NO_DRV_MBRES
Hardware ID  ACPI\VEN_PNP&DEV_0C02
 
[ System devices / Motherboard resources ]
 
Device Properties:
Driver Description  Motherboard resources
Driver Date  6/21/2006
Driver Version  10.0.18362.267
Driver Provider  Microsoft
INF File  machine.inf
INF Section  NO_DRV_MBRES
Hardware ID  ACPI\VEN_PNP&DEV_0C02
 
[ System devices / Motherboard resources ]
 
Device Properties:
Driver Description  Motherboard resources
Driver Date  6/21/2006
Driver Version  10.0.18362.267
Driver Provider  Microsoft
INF File  machine.inf
INF Section  NO_DRV_MBRES
Hardware ID  ACPI\VEN_PNP&DEV_0C02
 
[ System devices / Motherboard resources ]
 
Device Properties:
Driver Description  Motherboard resources
Driver Date  6/21/2006
Driver Version  10.0.18362.267
Driver Provider  Microsoft
INF File  machine.inf
INF Section  NO_DRV_MBRES
Hardware ID  ACPI\VEN_INT&DEV_3F0D
 
[ System devices / NDIS Virtual Network Adapter Enumerator ]
 
Device Properties:
Driver Description  NDIS Virtual Network Adapter Enumerator
Driver Date  6/21/2006
Driver Version  10.0.18362.1
Driver Provider  Microsoft
INF File  ndisvirtualbus.inf
INF Section  NdisVirtualBus_Device.NT
Hardware ID  ROOT\NdisVirtualBus
 
[ System devices / PCI Express Root Complex ]
 
Device Properties:
Driver Description  PCI Express Root Complex
Driver Date  6/21/2006
Driver Version  10.0.18362.628
Driver Provider  Microsoft
INF File  pci.inf
INF Section  PCI_ROOT
Hardware ID  ACPI\VEN_PNP&DEV_0A08
 
Device Resources:
Memory  000A0000-000BFFFF
Memory  4D400000-BFFFFFFF
Port  0000-0CF7
Port  0D00-FFFF
 
[ System devices / PCI Express Root Port ]
 
Device Properties:
Driver Description  PCI Express Root Port
Driver Date  6/21/2006
Driver Version  10.0.18362.628
Driver Provider  Microsoft
INF File  pci.inf
INF Section  PCI_BRIDGE
Hardware ID  PCI\VEN_8086&DEV_8A1D&SUBSYS_00000000&REV_03
Location Information  PCI bus 0, device 7, function 0
PCI Device  Intel Ice Lake - Thunderbolt PCI Express Controller 0
 
Device Resources:
IRQ  131071
Memory  00000000-1BFFFFFF
Memory  4E000000-5A1FFFFF
 
[ System devices / PCI standard host CPU bridge ]
 
Device Properties:
Driver Description  PCI standard host CPU bridge
Driver Date  6/21/2006
Driver Version  10.0.18362.267
Driver Provider  Microsoft
INF File  machine.inf
INF Section  NO_DRV
Hardware ID  PCI\VEN_8086&DEV_8A12&SUBSYS_03611854&REV_03
Location Information  PCI bus 0, device 0, function 0
PCI Device  Intel Ice Lake-U 4C - Host Bridge/DRAM Controller
 
[ System devices / PCI standard RAM Controller ]
 
Device Properties:
Driver Description  PCI standard RAM Controller
Driver Date  6/21/2006
Driver Version  10.0.18362.267
Driver Provider  Microsoft
INF File  machine.inf
INF Section  NO_DRV
Hardware ID  PCI\VEN_8086&DEV_34EF&SUBSYS_00000000&REV_30
Location Information  PCI bus 0, device 20, function 2
PCI Device  Intel Ice Point-LP PCH - Shared SRAM
 
[ System devices / Platform Manager ]
 
Device Properties:
Driver Description  Platform Manager
Driver Date  10/7/2019
Driver Version  1.1.1910.702
Driver Provider  LG Electronics Inc.
INF File  oem3.inf
INF Section  PlatMgr_Device.NT
Hardware ID  ACPI\VEN_LGEX&DEV_0820
 
[ System devices / Platform Pep ]
 
Device Properties:
Driver Description  Platform Pep
Driver Date  1/21/2020
Driver Version  1.0.2001.2101
Driver Provider  LG Electronics Inc.
INF File  oem49.inf
INF Section  Pep_Device.NT
Hardware ID  ROOT\LGEX0821
 
[ System devices / Plug and Play Software Device Enumerator ]
 
Device Properties:
Driver Description  Plug and Play Software Device Enumerator
Driver Date  8/27/2019
Driver Version  10.0.18362.329
Driver Provider  Microsoft
INF File  swenum.inf
INF Section  SWENUM
Hardware ID  ROOT\SWENUM
 
[ System devices / Programmable interrupt controller ]
 
Device Properties:
Driver Description  Programmable interrupt controller
Driver Date  6/21/2006
Driver Version  10.0.18362.267
Driver Provider  Microsoft
INF File  machine.inf
INF Section  NO_DRV_PIC
Hardware ID  ACPI\VEN_PNP&DEV_0000
 
[ System devices / Remote Desktop Device Redirector Bus ]
 
Device Properties:
Driver Description  Remote Desktop Device Redirector Bus
Driver Date  6/21/2006
Driver Version  10.0.18362.1
Driver Provider  Microsoft
INF File  rdpbus.inf
INF Section  RDPBUS
Hardware ID  ROOT\RDPBUS
 
[ System devices / System timer ]
 
Device Properties:
Driver Description  System timer
Driver Date  6/21/2006
Driver Version  10.0.18362.267
Driver Provider  Microsoft
INF File  machine.inf
INF Section  NO_DRV_X
Hardware ID  ACPI\VEN_PNP&DEV_0100
 
[ System devices / Thunderbolt(TM) Controller - 8A17 ]
 
Device Properties:
Driver Description  Thunderbolt(TM) Controller - 8A17
Driver Date  6/12/2019
Driver Version  1.41.648.5
Driver Provider  Intel(R) Corporation
INF File  oem43.inf
INF Section  TbtBusDrv_YflDevice.NT
Hardware ID  PCI\VEN_8086&DEV_8A17&SUBSYS_00000000&REV_03
Location Information  PCI bus 0, device 13, function 2
PCI Device  Intel Ice Lake - Thunderbolt DMA Controller 1
 
Device Resources:
IRQ  65536
IRQ  65536
IRQ  65536
IRQ  65536
IRQ  65536
IRQ  65536
IRQ  65536
IRQ  65536
IRQ  65536
IRQ  65536
IRQ  65536
IRQ  65536
IRQ  65536
IRQ  65536
IRQ  65536
IRQ  65536
Memory  1D100000-1D13FFFF
Memory  1D181000-1D181FFF
 
[ System devices / UMBus Root Bus Enumerator ]
 
Device Properties:
Driver Description  UMBus Root Bus Enumerator
Driver Date  6/21/2006
Driver Version  10.0.18362.329
Driver Provider  Microsoft
INF File  umbus.inf
INF Section  UmBusRoot_Device.NT
Hardware ID  root\umbus
 
[ System devices / Volume Manager ]
 
Device Properties:
Driver Description  Volume Manager
Driver Date  6/21/2006
Driver Version  10.0.18362.628
Driver Provider  Microsoft
INF File  volmgr.inf
INF Section  Volmgr
Hardware ID  ROOT\VOLMGR
 
[ Universal Serial Bus controllers / Intel(R) USB 3.10 eXtensible Host Controller - 1.10 (Microsoft) ]
 
Device Properties:
Driver Description  Intel(R) USB 3.10 eXtensible Host Controller - 1.10 (Microsoft)
Driver Date  2/20/2020
Driver Version  10.0.18362.693
Driver Provider  Microsoft
INF File  usbxhci.inf
INF Section  Generic.Install.NT
Hardware ID  PCI\VEN_8086&DEV_8A13&SUBSYS_00000000&REV_03
Location Information  PCI bus 0, device 13, function 0
PCI Device  Intel Ice Lake - USB 3.1 xHCI Host Controller
 
Device Resources:
IRQ  65536
Memory  FFEF0000-FFEFFFFF
 
Chipset Manufacturer:
Company Name  Intel Corporation
Product Information  https://www.intel.com/products/chipsets
Driver Download  https://www.intel.com/support/chipsets
BIOS Upgrades  http://www.aida64.com/goto/?p=biosupdates
Driver Update  http://www.aida64.com/goto/?p=drvupdates
 
[ Universal Serial Bus controllers / Intel(R) USB 3.10 eXtensible Host Controller - 1.10 (Microsoft) ]
 
Device Properties:
Driver Description  Intel(R) USB 3.10 eXtensible Host Controller - 1.10 (Microsoft)
Driver Date  2/20/2020
Driver Version  10.0.18362.693
Driver Provider  Microsoft
INF File  usbxhci.inf
INF Section  Generic.Install.NT
Hardware ID  PCI\VEN_8086&DEV_34ED&SUBSYS_03611854&REV_30
Location Information  PCI bus 0, device 20, function 0
PCI Device  Intel Ice Point-LP PCH - USB 3.1 xHCI Host Controller
 
Device Resources:
IRQ  65536
Memory  1D140000-1D14FFFF
 
Chipset Manufacturer:
Company Name  Intel Corporation
Product Information  https://www.intel.com/products/chipsets
Driver Download  https://www.intel.com/support/chipsets
BIOS Upgrades  http://www.aida64.com/goto/?p=biosupdates
Driver Update  http://www.aida64.com/goto/?p=drvupdates
 
[ Universal Serial Bus controllers / USB Composite Device ]
 
Device Properties:
Driver Description  USB Composite Device
Driver Date  6/21/2006
Driver Version  10.0.18362.693
Driver Provider  Microsoft
INF File  usb.inf
INF Section  Composite.Dev.NT
Hardware ID  USB\VID_0BDA&PID_5641&REV_0011
Location Information  Port_#0002.Hub_#0001
 
[ Universal Serial Bus controllers / USB Root Hub (USB 3.0) ]
 
Device Properties:
Driver Description  USB Root Hub (USB 3.0)
Driver Date  3/18/2019
Driver Version  10.0.18362.1
Driver Provider  Microsoft
INF File  usbhub3.inf
INF Section  Generic.Install.NT
Hardware ID  USB\ROOT_HUB30&VID8086&PID8A13&REV0003
 
[ Universal Serial Bus controllers / USB Root Hub (USB 3.0) ]
 
Device Properties:
Driver Description  USB Root Hub (USB 3.0)
Driver Date  3/18/2019
Driver Version  10.0.18362.1
Driver Provider  Microsoft
INF File  usbhub3.inf
INF Section  Generic.Install.NT
Hardware ID  USB\ROOT_HUB30&VID8086&PID34ED&REV0030
 
[ Unknown / Unknown ]
 
Device Properties:
Driver Description  Unknown


Physical Devices

 
PCI Devices:
Bus 0, Device 4, Function 0  Intel Ice Lake - Dynamic Platform & Thermal Framework Processor Participant
Bus 0, Device 0, Function 0  Intel Ice Lake-U 4C - Host Bridge/DRAM Controller
Bus 0, Device 2, Function 0  Intel Ice Lake-U GT2 64EU - Integrated Graphics Controller
Bus 0, Device 31, Function 3  Intel Ice Point-LP PCH - cAVS (Audio, Voice, Speech)
Bus 0, Device 30, Function 3  Intel Ice Point-LP PCH - GSPI Controller 1
Bus 0, Device 22, Function 0  Intel Ice Point-LP PCH - HECI Controller 1
Bus 0, Device 21, Function 0  Intel Ice Point-LP PCH - I2C Controller 0
Bus 0, Device 21, Function 1  Intel Ice Point-LP PCH - I2C Controller 1
Bus 0, Device 29, Function 4  Intel Ice Point-LP PCH - PCI Express Root Port 13
Bus 0, Device 29, Function 0  Intel Ice Point-LP PCH - PCI Express Root Port 9
Bus 0, Device 20, Function 2  Intel Ice Point-LP PCH - Shared SRAM
Bus 0, Device 31, Function 4  Intel Ice Point-LP PCH - SMBus Controller
Bus 0, Device 31, Function 5  Intel Ice Point-LP PCH - SPI (Flash) Controller
Bus 0, Device 30, Function 0  Intel Ice Point-LP PCH - UART Controller 0
Bus 0, Device 20, Function 0  Intel Ice Point-LP PCH - USB 3.1 xHCI Host Controller
Bus 0, Device 20, Function 3  Intel Ice Point-LP PCH - WiFi Controller
Bus 0, Device 31, Function 0  Intel Ice Point-LP PCH Premium - eSPI Controller [D0]
Bus 44, Device 0, Function 0  Realtek RTS5763DL PCIe 3.0 x4 NVMe 1.3 SSD Controller
Bus 43, Device 0, Function 0  Samsung NVMe SSD Controller
 
PnP Devices:
PNP0C08  ACPI Driver/BIOS
ACPI000C  ACPI Processor Aggregator
THERMALZONE  ACPI Thermal Zone
PNP0A08  ACPI Three-wire Device Bus
PNP0C0A  Control Method Battery
PNP0C09  Embedded Controller Device
GXFP5A8B  Goodix Fingerprint SPI Device
PNP0103  High Precision Event Timer
ELAN0E03  I2C HID Device
INT3403  Intel Dynamic Platform & Thermal Framework Generic Participant
INT3403  Intel Dynamic Platform & Thermal Framework Generic Participant
INT3405  Intel Dynamic Platform & Thermal Framework Processor Participant
INT3400  Intel Dynamic Platform & Thermal Framework
INT3455  Intel Ice Point-LP PCH - Serial IO GPIO Host Controller
INT33A1  Intel Power Engine Plug-in
INT0E0C  Intel Software Guard Extensions Device
INT340E  Intel System Device
INT3F0D  Intel Watchdog Timer
GENUINEINTEL_-_INTEL64_FAMILY_6_MODEL_126_-_INTEL(R)_CORE(TM)_I7-1065G7_CPU_@_1.30GHZ  Intel(R) Core(TM) i7-1065G7 CPU @ 1.30GHz
GENUINEINTEL_-_INTEL64_FAMILY_6_MODEL_126_-_INTEL(R)_CORE(TM)_I7-1065G7_CPU_@_1.30GHZ  Intel(R) Core(TM) i7-1065G7 CPU @ 1.30GHz
GENUINEINTEL_-_INTEL64_FAMILY_6_MODEL_126_-_INTEL(R)_CORE(TM)_I7-1065G7_CPU_@_1.30GHZ  Intel(R) Core(TM) i7-1065G7 CPU @ 1.30GHz
GENUINEINTEL_-_INTEL64_FAMILY_6_MODEL_126_-_INTEL(R)_CORE(TM)_I7-1065G7_CPU_@_1.30GHZ  Intel(R) Core(TM) i7-1065G7 CPU @ 1.30GHz
GENUINEINTEL_-_INTEL64_FAMILY_6_MODEL_126_-_INTEL(R)_CORE(TM)_I7-1065G7_CPU_@_1.30GHZ  Intel(R) Core(TM) i7-1065G7 CPU @ 1.30GHz
GENUINEINTEL_-_INTEL64_FAMILY_6_MODEL_126_-_INTEL(R)_CORE(TM)_I7-1065G7_CPU_@_1.30GHZ  Intel(R) Core(TM) i7-1065G7 CPU @ 1.30GHz
GENUINEINTEL_-_INTEL64_FAMILY_6_MODEL_126_-_INTEL(R)_CORE(TM)_I7-1065G7_CPU_@_1.30GHZ  Intel(R) Core(TM) i7-1065G7 CPU @ 1.30GHz
GENUINEINTEL_-_INTEL64_FAMILY_6_MODEL_126_-_INTEL(R)_CORE(TM)_I7-1065G7_CPU_@_1.30GHZ  Intel(R) Core(TM) i7-1065G7 CPU @ 1.30GHz
LGEX0815  LG Airplane Mode Button
PNP0C0D  Lid
ACPI0003  Microsoft AC Adapter
UEFI  Microsoft UEFI-Compliant System
PNP0C14  Microsoft Windows Management Interface for ACPI
PNP0C14  Microsoft Windows Management Interface for ACPI
PNP0C14  Microsoft Windows Management Interface for ACPI
PNP0C14  Microsoft Windows Management Interface for ACPI
LGEX0820  Platform Manager
PNP0C0C  Power Button
PNP0000  Programmable Interrupt Controller
PNP0C0E  Sleep Button
LGEX0001  Standard PS/2 Keyboard
PNP0100  System Timer
PNP0C02  Thermal Monitoring ACPI Device
PNP0C02  Thermal Monitoring ACPI Device
PNP0C02  Thermal Monitoring ACPI Device
PNP0C02  Thermal Monitoring ACPI Device
PNP0C02  Thermal Monitoring ACPI Device
PNP0C02  Thermal Monitoring ACPI Device
INTC5000  Trusted Platform Module 2.0
 
USB Devices:
8087 0026  Intel(R) Wireless Bluetooth(R)
0BDA 5641  LG Camera
0BDA 5641  USB Composite Device


PCI Devices

 
[ Intel Ice Lake - Dynamic Platform & Thermal Framework Processor Participant ]
 
Device Properties:
Device Description  Intel Ice Lake - Dynamic Platform & Thermal Framework Processor Participant
Bus Type  PCI
Bus / Device / Function  0 / 4 / 0
Device ID  8086-8A03
Subsystem ID  1854-0361
Device Class  1180 (Data Acquisition / Signal Processing Controller)
Revision  03
Fast Back-to-Back Transactions  Supported, Disabled
 
Device Features:
66 MHz Operation  Not Supported
Bus Mastering  Enabled
 
[ Intel Ice Lake-U 4C - Host Bridge/DRAM Controller ]
 
Device Properties:
Device Description  Intel Ice Lake-U 4C - Host Bridge/DRAM Controller
Bus Type  PCI
Bus / Device / Function  0 / 0 / 0
Device ID  8086-8A12
Subsystem ID  1854-0361
Device Class  0600 (Host/PCI Bridge)
Revision  03
Fast Back-to-Back Transactions  Supported, Disabled
 
Device Features:
66 MHz Operation  Not Supported
Bus Mastering  Enabled
 
[ Intel Ice Lake-U GT2 64EU - Integrated Graphics Controller ]
 
Device Properties:
Device Description  Intel Ice Lake-U GT2 64EU - Integrated Graphics Controller
Bus Type  PCI Express 2.0
Bus / Device / Function  0 / 2 / 0
Device ID  8086-8A52
Subsystem ID  1854-0361
Device Class  0300 (VGA Display Controller)
Revision  07
Fast Back-to-Back Transactions  Not Supported
 
Device Features:
66 MHz Operation  Not Supported
Bus Mastering  Enabled
 
Video Adapter Manufacturer:
Company Name  Intel Corporation
Product Information  https://www.intel.com/products/chipsets
Driver Download  https://www.intel.com/support/graphics
Driver Update  http://www.aida64.com/goto/?p=drvupdates
 
[ Intel Ice Point-LP PCH - cAVS (Audio, Voice, Speech) ]
 
Device Properties:
Device Description  Intel Ice Point-LP PCH - cAVS (Audio, Voice, Speech)
Bus Type  PCI
Bus / Device / Function  0 / 31 / 3
Device ID  8086-34C8
Subsystem ID  1854-0361
Device Class  0403 (High Definition Audio)
Revision  30
Fast Back-to-Back Transactions  Not Supported
 
Device Features:
66 MHz Operation  Not Supported
Bus Mastering  Enabled
 
[ Intel Ice Point-LP PCH - GSPI Controller 1 ]
 
Device Properties:
Device Description  Intel Ice Point-LP PCH - GSPI Controller 1
Bus Type  PCI
Bus / Device / Function  0 / 30 / 3
Device ID  8086-34AB
Subsystem ID  1854-0361
Device Class  0C80 (Serial Bus Controller)
Revision  30
Fast Back-to-Back Transactions  Not Supported
 
Device Features:
66 MHz Operation  Not Supported
Bus Mastering  Disabled
 
[ Intel Ice Point-LP PCH - HECI Controller 1 ]
 
Device Properties:
Device Description  Intel Ice Point-LP PCH - HECI Controller 1
Bus Type  PCI
Bus / Device / Function  0 / 22 / 0
Device ID  8086-34E0
Subsystem ID  1854-0361
Device Class  0780 (Communications Controller)
Revision  30
Fast Back-to-Back Transactions  Not Supported
 
Device Features:
66 MHz Operation  Not Supported
Bus Mastering  Enabled
 
[ Intel Ice Point-LP PCH - I2C Controller 0 ]
 
Device Properties:
Device Description  Intel Ice Point-LP PCH - I2C Controller 0
Bus Type  PCI
Bus / Device / Function  0 / 21 / 0
Device ID  8086-34E8
Subsystem ID  1854-0361
Device Class  0C80 (Serial Bus Controller)
Revision  30
Fast Back-to-Back Transactions  Not Supported
 
Device Features:
66 MHz Operation  Not Supported
Bus Mastering  Enabled
 
[ Intel Ice Point-LP PCH - I2C Controller 1 ]
 
Device Properties:
Device Description  Intel Ice Point-LP PCH - I2C Controller 1
Bus Type  PCI
Bus / Device / Function  0 / 21 / 1
Device ID  8086-34E9
Subsystem ID  1854-0361
Device Class  0C80 (Serial Bus Controller)
Revision  30
Fast Back-to-Back Transactions  Not Supported
 
Device Features:
66 MHz Operation  Not Supported
Bus Mastering  Disabled
 
[ Intel Ice Point-LP PCH - PCI Express Root Port 13 ]
 
Device Properties:
Device Description  Intel Ice Point-LP PCH - PCI Express Root Port 13
Bus Type  PCI
Bus / Device / Function  0 / 29 / 4
Device ID  8086-34B4
Subsystem ID  0000-0000
Device Class  0604 (PCI/PCI Bridge)
Revision  30
Fast Back-to-Back Transactions  Not Supported
 
Device Features:
66 MHz Operation  Not Supported
Bus Mastering  Enabled
 
[ Intel Ice Point-LP PCH - PCI Express Root Port 9 ]
 
Device Properties:
Device Description  Intel Ice Point-LP PCH - PCI Express Root Port 9
Bus Type  PCI
Bus / Device / Function  0 / 29 / 0
Device ID  8086-34B0
Subsystem ID  0000-0000
Device Class  0604 (PCI/PCI Bridge)
Revision  30
Fast Back-to-Back Transactions  Not Supported
 
Device Features:
66 MHz Operation  Not Supported
Bus Mastering  Enabled
 
[ Intel Ice Point-LP PCH - Shared SRAM ]
 
Device Properties:
Device Description  Intel Ice Point-LP PCH - Shared SRAM
Bus Type  PCI
Bus / Device / Function  0 / 20 / 2
Device ID  8086-34EF
Subsystem ID  0000-0000
Device Class  0500 (RAM Controller)
Revision  30
Fast Back-to-Back Transactions  Not Supported
 
Device Features:
66 MHz Operation  Not Supported
Bus Mastering  Disabled
 
[ Intel Ice Point-LP PCH - SMBus Controller ]
 
Device Properties:
Device Description  Intel Ice Point-LP PCH - SMBus Controller
Bus Type  PCI
Bus / Device / Function  0 / 31 / 4
Device ID  8086-34A3
Subsystem ID  1854-0361
Device Class  0C05 (SMBus Controller)
Revision  30
Fast Back-to-Back Transactions  Supported, Disabled
 
Device Features:
66 MHz Operation  Not Supported
Bus Mastering  Disabled
 
[ Intel Ice Point-LP PCH - SPI (Flash) Controller ]
 
Device Properties:
Device Description  Intel Ice Point-LP PCH - SPI (Flash) Controller
Bus Type  PCI
Bus / Device / Function  0 / 31 / 5
Device ID  8086-34A4
Subsystem ID  1854-0361
Device Class  0C80 (Serial Bus Controller)
Revision  30
Fast Back-to-Back Transactions  Not Supported
 
Device Features:
66 MHz Operation  Not Supported
Bus Mastering  Disabled
 
[ Intel Ice Point-LP PCH - UART Controller 0 ]
 
Device Properties:
Device Description  Intel Ice Point-LP PCH - UART Controller 0
Bus Type  PCI
Bus / Device / Function  0 / 30 / 0
Device ID  8086-34A8
Subsystem ID  1854-0361
Device Class  0780 (Communications Controller)
Revision  30
Fast Back-to-Back Transactions  Not Supported
 
Device Features:
66 MHz Operation  Not Supported
Bus Mastering  Disabled
 
[ Intel Ice Point-LP PCH - USB 3.1 xHCI Host Controller ]
 
Device Properties:
Device Description  Intel Ice Point-LP PCH - USB 3.1 xHCI Host Controller
Bus Type  PCI
Bus / Device / Function  0 / 20 / 0
Device ID  8086-34ED
Subsystem ID  1854-0361
Device Class  0C03 (USB3 xHCI Controller)
Revision  30
Fast Back-to-Back Transactions  Supported, Disabled
 
Device Features:
66 MHz Operation  Not Supported
Bus Mastering  Disabled
 
[ Intel Ice Point-LP PCH - WiFi Controller ]
 
Device Properties:
Device Description  Intel Ice Point-LP PCH - WiFi Controller
Bus Type  PCI Express 2.0
Bus / Device / Function  0 / 20 / 3
Device ID  8086-34F0
Subsystem ID  8086-0074
Device Class  0280 (Network Controller)
Revision  30
Fast Back-to-Back Transactions  Not Supported
 
Device Features:
66 MHz Operation  Not Supported
Bus Mastering  Enabled
 
[ Intel Ice Point-LP PCH Premium - eSPI Controller [D0] ]
 
Device Properties:
Device Description  Intel Ice Point-LP PCH Premium - eSPI Controller [D0]
Bus Type  PCI
Bus / Device / Function  0 / 31 / 0
Device ID  8086-3482
Subsystem ID  1854-0361
Device Class  0601 (PCI/ISA Bridge)
Revision  30
Fast Back-to-Back Transactions  Not Supported
 
Device Features:
66 MHz Operation  Not Supported
Bus Mastering  Enabled
 
[ Realtek RTS5763DL PCIe 3.0 x4 NVMe 1.3 SSD Controller ]
 
Device Properties:
Device Description  Realtek RTS5763DL PCIe 3.0 x4 NVMe 1.3 SSD Controller
Bus Type  PCI Express 3.0 x4
Bus / Device / Function  44 / 0 / 0
Device ID  10EC-5763
Subsystem ID  10EC-5763
Device Class  0108 (Non-Volatile Memory Controller)
Revision  01
Fast Back-to-Back Transactions  Not Supported
 
Device Features:
66 MHz Operation  Not Supported
Bus Mastering  Enabled
 
[ Samsung NVMe SSD Controller ]
 
Device Properties:
Device Description  Samsung NVMe SSD Controller
Bus Type  PCI Express 3.0 x4
Bus / Device / Function  43 / 0 / 0
Device ID  144D-A808
Subsystem ID  144D-A801
Device Class  0108 (Non-Volatile Memory Controller)
Revision  00
Fast Back-to-Back Transactions  Not Supported
 
Device Features:
66 MHz Operation  Not Supported
Bus Mastering  Enabled


USB Devices

 
[ USB Composite Device ]
 
Device Properties:
Device Description  USB Composite Device
Device ID  0BDA-5641
Device Class  EF / 02 (Interface Association Descriptor)
Device Protocol  01
Revision  0011h
Supported USB Version  2.00
Current Speed  High (USB 2.0)
 
[ Intel(R) Wireless Bluetooth(R) ]
 
Device Properties:
Device Description  Intel(R) Wireless Bluetooth(R)
Device ID  8087-0026
Device Class  E0 / 01 (Bluetooth)
Device Protocol  01
Revision  0002h
Supported USB Version  2.01
Current Speed  Full (USB 1.1)


Device Resources

 
Resource  Share  Device Description
IRQ 01  Exclusive  Standard PS/2 Keyboard
IRQ 100  Exclusive  Microsoft ACPI-Compliant System
IRQ 101  Exclusive  Microsoft ACPI-Compliant System
IRQ 102  Exclusive  Microsoft ACPI-Compliant System
IRQ 1024  Exclusive  Goodix Fingerprint SPI Device
IRQ 103  Exclusive  Microsoft ACPI-Compliant System
IRQ 104  Exclusive  Microsoft ACPI-Compliant System
IRQ 105  Exclusive  Microsoft ACPI-Compliant System
IRQ 106  Exclusive  Microsoft ACPI-Compliant System
IRQ 107  Exclusive  Microsoft ACPI-Compliant System
IRQ 108  Exclusive  Microsoft ACPI-Compliant System
IRQ 109  Exclusive  Microsoft ACPI-Compliant System
IRQ 110  Exclusive  Microsoft ACPI-Compliant System
IRQ 111  Exclusive  Microsoft ACPI-Compliant System
IRQ 112  Exclusive  Microsoft ACPI-Compliant System
IRQ 113  Exclusive  Microsoft ACPI-Compliant System
IRQ 114  Exclusive  Microsoft ACPI-Compliant System
IRQ 115  Exclusive  Microsoft ACPI-Compliant System
IRQ 116  Exclusive  Microsoft ACPI-Compliant System
IRQ 117  Exclusive  Microsoft ACPI-Compliant System
IRQ 118  Exclusive  Microsoft ACPI-Compliant System
IRQ 119  Exclusive  Microsoft ACPI-Compliant System
IRQ 120  Exclusive  Microsoft ACPI-Compliant System
IRQ 121  Exclusive  Microsoft ACPI-Compliant System
IRQ 122  Exclusive  Microsoft ACPI-Compliant System
IRQ 123  Exclusive  Microsoft ACPI-Compliant System
IRQ 124  Exclusive  Microsoft ACPI-Compliant System
IRQ 125  Exclusive  Microsoft ACPI-Compliant System
IRQ 126  Exclusive  Microsoft ACPI-Compliant System
IRQ 127  Exclusive  Microsoft ACPI-Compliant System
IRQ 128  Exclusive  Microsoft ACPI-Compliant System
IRQ 129  Exclusive  Microsoft ACPI-Compliant System
IRQ 130  Exclusive  Microsoft ACPI-Compliant System
IRQ 131  Exclusive  Microsoft ACPI-Compliant System
IRQ 131071  Exclusive  Intel(R) PCI Express Root Port #13 - 34B4
IRQ 131071  Exclusive  Intel(R) PCI Express Root Port #9 - 34B0
IRQ 131071  Exclusive  PCI Express Root Port
IRQ 132  Exclusive  Microsoft ACPI-Compliant System
IRQ 133  Exclusive  Microsoft ACPI-Compliant System
IRQ 134  Exclusive  Microsoft ACPI-Compliant System
IRQ 135  Exclusive  Microsoft ACPI-Compliant System
IRQ 136  Exclusive  Microsoft ACPI-Compliant System
IRQ 137  Exclusive  Microsoft ACPI-Compliant System
IRQ 138  Exclusive  Microsoft ACPI-Compliant System
IRQ 139  Exclusive  Microsoft ACPI-Compliant System
IRQ 14  Shared  Intel(R) Serial IO GPIO Host Controller - INT3455
IRQ 140  Exclusive  Microsoft ACPI-Compliant System
IRQ 141  Exclusive  Microsoft ACPI-Compliant System
IRQ 142  Exclusive  Microsoft ACPI-Compliant System
IRQ 143  Exclusive  Microsoft ACPI-Compliant System
IRQ 144  Exclusive  Microsoft ACPI-Compliant System
IRQ 145  Exclusive  Microsoft ACPI-Compliant System
IRQ 146  Exclusive  Microsoft ACPI-Compliant System
IRQ 147  Exclusive  Microsoft ACPI-Compliant System
IRQ 148  Exclusive  Microsoft ACPI-Compliant System
IRQ 149  Exclusive  Microsoft ACPI-Compliant System
IRQ 150  Exclusive  Microsoft ACPI-Compliant System
IRQ 151  Exclusive  Microsoft ACPI-Compliant System
IRQ 152  Exclusive  Microsoft ACPI-Compliant System
IRQ 153  Exclusive  Microsoft ACPI-Compliant System
IRQ 154  Exclusive  Microsoft ACPI-Compliant System
IRQ 155  Exclusive  Microsoft ACPI-Compliant System
IRQ 156  Exclusive  Microsoft ACPI-Compliant System
IRQ 157  Exclusive  Microsoft ACPI-Compliant System
IRQ 158  Exclusive  Microsoft ACPI-Compliant System
IRQ 159  Exclusive  Microsoft ACPI-Compliant System
IRQ 16  Shared  High Definition Audio Controller
IRQ 16  Shared  Intel(R) Dynamic Tuning Processor Participant
IRQ 16  Shared  Intel(R) Serial IO I2C Host Controller - 34E8
IRQ 160  Exclusive  Microsoft ACPI-Compliant System
IRQ 161  Exclusive  Microsoft ACPI-Compliant System
IRQ 162  Exclusive  Microsoft ACPI-Compliant System
IRQ 163  Exclusive  Microsoft ACPI-Compliant System
IRQ 164  Exclusive  Microsoft ACPI-Compliant System
IRQ 165  Exclusive  Microsoft ACPI-Compliant System
IRQ 166  Exclusive  Microsoft ACPI-Compliant System
IRQ 167  Exclusive  Microsoft ACPI-Compliant System
IRQ 168  Exclusive  Microsoft ACPI-Compliant System
IRQ 169  Exclusive  Microsoft ACPI-Compliant System
IRQ 17  Shared  Intel(R) Serial IO I2C Host Controller - 34E9
IRQ 170  Exclusive  Microsoft ACPI-Compliant System
IRQ 171  Exclusive  Microsoft ACPI-Compliant System
IRQ 172  Exclusive  Microsoft ACPI-Compliant System
IRQ 173  Exclusive  Microsoft ACPI-Compliant System
IRQ 174  Exclusive  Microsoft ACPI-Compliant System
IRQ 175  Exclusive  Microsoft ACPI-Compliant System
IRQ 176  Exclusive  Microsoft ACPI-Compliant System
IRQ 177  Exclusive  Microsoft ACPI-Compliant System
IRQ 178  Exclusive  Microsoft ACPI-Compliant System
IRQ 179  Exclusive  Microsoft ACPI-Compliant System
IRQ 180  Exclusive  Microsoft ACPI-Compliant System
IRQ 181  Exclusive  Microsoft ACPI-Compliant System
IRQ 182  Exclusive  Microsoft ACPI-Compliant System
IRQ 183  Exclusive  Microsoft ACPI-Compliant System
IRQ 184  Exclusive  Microsoft ACPI-Compliant System
IRQ 185  Exclusive  Microsoft ACPI-Compliant System
IRQ 186  Exclusive  Microsoft ACPI-Compliant System
IRQ 187  Exclusive  Microsoft ACPI-Compliant System
IRQ 188  Exclusive  Microsoft ACPI-Compliant System
IRQ 189  Exclusive  Microsoft ACPI-Compliant System
IRQ 190  Exclusive  Microsoft ACPI-Compliant System
IRQ 191  Exclusive  Microsoft ACPI-Compliant System
IRQ 192  Exclusive  Microsoft ACPI-Compliant System
IRQ 193  Exclusive  Microsoft ACPI-Compliant System
IRQ 194  Exclusive  Microsoft ACPI-Compliant System
IRQ 195  Exclusive  Microsoft ACPI-Compliant System
IRQ 196  Exclusive  Microsoft ACPI-Compliant System
IRQ 197  Exclusive  Microsoft ACPI-Compliant System
IRQ 198  Exclusive  Microsoft ACPI-Compliant System
IRQ 199  Exclusive  Microsoft ACPI-Compliant System
IRQ 20  Shared  Intel(R) Serial IO UART Host Controller - 34A8
IRQ 200  Exclusive  Microsoft ACPI-Compliant System
IRQ 201  Exclusive  Microsoft ACPI-Compliant System
IRQ 202  Exclusive  Microsoft ACPI-Compliant System
IRQ 203  Exclusive  Microsoft ACPI-Compliant System
IRQ 204  Exclusive  Microsoft ACPI-Compliant System
IRQ 23  Shared  Intel(R) Serial IO SPI Host Controller - 34AB
IRQ 256  Exclusive  Microsoft ACPI-Compliant System
IRQ 257  Exclusive  Microsoft ACPI-Compliant System
IRQ 258  Exclusive  Microsoft ACPI-Compliant System
IRQ 259  Exclusive  Microsoft ACPI-Compliant System
IRQ 260  Exclusive  Microsoft ACPI-Compliant System
IRQ 261  Exclusive  Microsoft ACPI-Compliant System
IRQ 262  Exclusive  Microsoft ACPI-Compliant System
IRQ 263  Exclusive  Microsoft ACPI-Compliant System
IRQ 264  Exclusive  Microsoft ACPI-Compliant System
IRQ 265  Exclusive  Microsoft ACPI-Compliant System
IRQ 266  Exclusive  Microsoft ACPI-Compliant System
IRQ 267  Exclusive  Microsoft ACPI-Compliant System
IRQ 268  Exclusive  Microsoft ACPI-Compliant System
IRQ 269  Exclusive  Microsoft ACPI-Compliant System
IRQ 270  Exclusive  Microsoft ACPI-Compliant System
IRQ 271  Exclusive  Microsoft ACPI-Compliant System
IRQ 272  Exclusive  Microsoft ACPI-Compliant System
IRQ 273  Exclusive  Microsoft ACPI-Compliant System
IRQ 274  Exclusive  Microsoft ACPI-Compliant System
IRQ 275  Exclusive  Microsoft ACPI-Compliant System
IRQ 276  Exclusive  Microsoft ACPI-Compliant System
IRQ 277  Exclusive  Microsoft ACPI-Compliant System
IRQ 278  Exclusive  Microsoft ACPI-Compliant System
IRQ 279  Exclusive  Microsoft ACPI-Compliant System
IRQ 280  Exclusive  Microsoft ACPI-Compliant System
IRQ 281  Exclusive  Microsoft ACPI-Compliant System
IRQ 282  Exclusive  Microsoft ACPI-Compliant System
IRQ 283  Exclusive  Microsoft ACPI-Compliant System
IRQ 284  Exclusive  Microsoft ACPI-Compliant System
IRQ 285  Exclusive  Microsoft ACPI-Compliant System
IRQ 286  Exclusive  Microsoft ACPI-Compliant System
IRQ 287  Exclusive  Microsoft ACPI-Compliant System
IRQ 288  Exclusive  Microsoft ACPI-Compliant System
IRQ 289  Exclusive  Microsoft ACPI-Compliant System
IRQ 290  Exclusive  Microsoft ACPI-Compliant System
IRQ 291  Exclusive  Microsoft ACPI-Compliant System
IRQ 292  Exclusive  Microsoft ACPI-Compliant System
IRQ 293  Exclusive  Microsoft ACPI-Compliant System
IRQ 294  Exclusive  Microsoft ACPI-Compliant System
IRQ 295  Exclusive  Microsoft ACPI-Compliant System
IRQ 296  Exclusive  Microsoft ACPI-Compliant System
IRQ 297  Exclusive  Microsoft ACPI-Compliant System
IRQ 298  Exclusive  Microsoft ACPI-Compliant System
IRQ 299  Exclusive  Microsoft ACPI-Compliant System
IRQ 300  Exclusive  Microsoft ACPI-Compliant System
IRQ 301  Exclusive  Microsoft ACPI-Compliant System
IRQ 302  Exclusive  Microsoft ACPI-Compliant System
IRQ 303  Exclusive  Microsoft ACPI-Compliant System
IRQ 304  Exclusive  Microsoft ACPI-Compliant System
IRQ 305  Exclusive  Microsoft ACPI-Compliant System
IRQ 306  Exclusive  Microsoft ACPI-Compliant System
IRQ 307  Exclusive  Microsoft ACPI-Compliant System
IRQ 308  Exclusive  Microsoft ACPI-Compliant System
IRQ 309  Exclusive  Microsoft ACPI-Compliant System
IRQ 310  Exclusive  Microsoft ACPI-Compliant System
IRQ 311  Exclusive  Microsoft ACPI-Compliant System
IRQ 312  Exclusive  Microsoft ACPI-Compliant System
IRQ 313  Exclusive  Microsoft ACPI-Compliant System
IRQ 314  Exclusive  Microsoft ACPI-Compliant System
IRQ 315  Exclusive  Microsoft ACPI-Compliant System
IRQ 316  Exclusive  Microsoft ACPI-Compliant System
IRQ 317  Exclusive  Microsoft ACPI-Compliant System
IRQ 318  Exclusive  Microsoft ACPI-Compliant System
IRQ 319  Exclusive  Microsoft ACPI-Compliant System
IRQ 320  Exclusive  Microsoft ACPI-Compliant System
IRQ 321  Exclusive  Microsoft ACPI-Compliant System
IRQ 322  Exclusive  Microsoft ACPI-Compliant System
IRQ 323  Exclusive  Microsoft ACPI-Compliant System
IRQ 324  Exclusive  Microsoft ACPI-Compliant System
IRQ 325  Exclusive  Microsoft ACPI-Compliant System
IRQ 326  Exclusive  Microsoft ACPI-Compliant System
IRQ 327  Exclusive  Microsoft ACPI-Compliant System
IRQ 328  Exclusive  Microsoft ACPI-Compliant System
IRQ 329  Exclusive  Microsoft ACPI-Compliant System
IRQ 330  Exclusive  Microsoft ACPI-Compliant System
IRQ 331  Exclusive  Microsoft ACPI-Compliant System
IRQ 332  Exclusive  Microsoft ACPI-Compliant System
IRQ 333  Exclusive  Microsoft ACPI-Compliant System
IRQ 334  Exclusive  Microsoft ACPI-Compliant System
IRQ 335  Exclusive  Microsoft ACPI-Compliant System
IRQ 336  Exclusive  Microsoft ACPI-Compliant System
IRQ 337  Exclusive  Microsoft ACPI-Compliant System
IRQ 338  Exclusive  Microsoft ACPI-Compliant System
IRQ 339  Exclusive  Microsoft ACPI-Compliant System
IRQ 340  Exclusive  Microsoft ACPI-Compliant System
IRQ 341  Exclusive  Microsoft ACPI-Compliant System
IRQ 342  Exclusive  Microsoft ACPI-Compliant System
IRQ 343  Exclusive  Microsoft ACPI-Compliant System
IRQ 344  Exclusive  Microsoft ACPI-Compliant System
IRQ 345  Exclusive  Microsoft ACPI-Compliant System
IRQ 346  Exclusive  Microsoft ACPI-Compliant System
IRQ 347  Exclusive  Microsoft ACPI-Compliant System
IRQ 348  Exclusive  Microsoft ACPI-Compliant System
IRQ 349  Exclusive  Microsoft ACPI-Compliant System
IRQ 350  Exclusive  Microsoft ACPI-Compliant System
IRQ 351  Exclusive  Microsoft ACPI-Compliant System
IRQ 352  Exclusive  Microsoft ACPI-Compliant System
IRQ 353  Exclusive  Microsoft ACPI-Compliant System
IRQ 354  Exclusive  Microsoft ACPI-Compliant System
IRQ 355  Exclusive  Microsoft ACPI-Compliant System
IRQ 356  Exclusive  Microsoft ACPI-Compliant System
IRQ 357  Exclusive  Microsoft ACPI-Compliant System
IRQ 358  Exclusive  Microsoft ACPI-Compliant System
IRQ 359  Exclusive  Microsoft ACPI-Compliant System
IRQ 360  Exclusive  Microsoft ACPI-Compliant System
IRQ 361  Exclusive  Microsoft ACPI-Compliant System
IRQ 362  Exclusive  Microsoft ACPI-Compliant System
IRQ 363  Exclusive  Microsoft ACPI-Compliant System
IRQ 364  Exclusive  Microsoft ACPI-Compliant System
IRQ 365  Exclusive  Microsoft ACPI-Compliant System
IRQ 366  Exclusive  Microsoft ACPI-Compliant System
IRQ 367  Exclusive  Microsoft ACPI-Compliant System
IRQ 368  Exclusive  Microsoft ACPI-Compliant System
IRQ 369  Exclusive  Microsoft ACPI-Compliant System
IRQ 370  Exclusive  Microsoft ACPI-Compliant System
IRQ 371  Exclusive  Microsoft ACPI-Compliant System
IRQ 372  Exclusive  Microsoft ACPI-Compliant System
IRQ 373  Exclusive  Microsoft ACPI-Compliant System
IRQ 374  Exclusive  Microsoft ACPI-Compliant System
IRQ 375  Exclusive  Microsoft ACPI-Compliant System
IRQ 376  Exclusive  Microsoft ACPI-Compliant System
IRQ 377  Exclusive  Microsoft ACPI-Compliant System
IRQ 378  Exclusive  Microsoft ACPI-Compliant System
IRQ 379  Exclusive  Microsoft ACPI-Compliant System
IRQ 380  Exclusive  Microsoft ACPI-Compliant System
IRQ 381  Exclusive  Microsoft ACPI-Compliant System
IRQ 382  Exclusive  Microsoft ACPI-Compliant System
IRQ 383  Exclusive  Microsoft ACPI-Compliant System
IRQ 384  Exclusive  Microsoft ACPI-Compliant System
IRQ 385  Exclusive  Microsoft ACPI-Compliant System
IRQ 386  Exclusive  Microsoft ACPI-Compliant System
IRQ 387  Exclusive  Microsoft ACPI-Compliant System
IRQ 388  Exclusive  Microsoft ACPI-Compliant System
IRQ 389  Exclusive  Microsoft ACPI-Compliant System
IRQ 390  Exclusive  Microsoft ACPI-Compliant System
IRQ 391  Exclusive  Microsoft ACPI-Compliant System
IRQ 392  Exclusive  Microsoft ACPI-Compliant System
IRQ 393  Exclusive  Microsoft ACPI-Compliant System
IRQ 394  Exclusive  Microsoft ACPI-Compliant System
IRQ 395  Exclusive  Microsoft ACPI-Compliant System
IRQ 396  Exclusive  Microsoft ACPI-Compliant System
IRQ 397  Exclusive  Microsoft ACPI-Compliant System
IRQ 398  Exclusive  Microsoft ACPI-Compliant System
IRQ 399  Exclusive  Microsoft ACPI-Compliant System
IRQ 400  Exclusive  Microsoft ACPI-Compliant System
IRQ 401  Exclusive  Microsoft ACPI-Compliant System
IRQ 402  Exclusive  Microsoft ACPI-Compliant System
IRQ 403  Exclusive  Microsoft ACPI-Compliant System
IRQ 404  Exclusive  Microsoft ACPI-Compliant System
IRQ 405  Exclusive  Microsoft ACPI-Compliant System
IRQ 406  Exclusive  Microsoft ACPI-Compliant System
IRQ 407  Exclusive  Microsoft ACPI-Compliant System
IRQ 408  Exclusive  Microsoft ACPI-Compliant System
IRQ 409  Exclusive  Microsoft ACPI-Compliant System
IRQ 410  Exclusive  Microsoft ACPI-Compliant System
IRQ 411  Exclusive  Microsoft ACPI-Compliant System
IRQ 412  Exclusive  Microsoft ACPI-Compliant System
IRQ 413  Exclusive  Microsoft ACPI-Compliant System
IRQ 414  Exclusive  Microsoft ACPI-Compliant System
IRQ 415  Exclusive  Microsoft ACPI-Compliant System
IRQ 416  Exclusive  Microsoft ACPI-Compliant System
IRQ 417  Exclusive  Microsoft ACPI-Compliant System
IRQ 418  Exclusive  Microsoft ACPI-Compliant System
IRQ 419  Exclusive  Microsoft ACPI-Compliant System
IRQ 420  Exclusive  Microsoft ACPI-Compliant System
IRQ 421  Exclusive  Microsoft ACPI-Compliant System
IRQ 422  Exclusive  Microsoft ACPI-Compliant System
IRQ 423  Exclusive  Microsoft ACPI-Compliant System
IRQ 424  Exclusive  Microsoft ACPI-Compliant System
IRQ 425  Exclusive  Microsoft ACPI-Compliant System
IRQ 426  Exclusive  Microsoft ACPI-Compliant System
IRQ 427  Exclusive  Microsoft ACPI-Compliant System
IRQ 428  Exclusive  Microsoft ACPI-Compliant System
IRQ 429  Exclusive  Microsoft ACPI-Compliant System
IRQ 430  Exclusive  Microsoft ACPI-Compliant System
IRQ 431  Exclusive  Microsoft ACPI-Compliant System
IRQ 432  Exclusive  Microsoft ACPI-Compliant System
IRQ 433  Exclusive  Microsoft ACPI-Compliant System
IRQ 434  Exclusive  Microsoft ACPI-Compliant System
IRQ 435  Exclusive  Microsoft ACPI-Compliant System
IRQ 436  Exclusive  Microsoft ACPI-Compliant System
IRQ 437  Exclusive  Microsoft ACPI-Compliant System
IRQ 438  Exclusive  Microsoft ACPI-Compliant System
IRQ 439  Exclusive  Microsoft ACPI-Compliant System
IRQ 440  Exclusive  Microsoft ACPI-Compliant System
IRQ 441  Exclusive  Microsoft ACPI-Compliant System
IRQ 442  Exclusive  Microsoft ACPI-Compliant System
IRQ 443  Exclusive  Microsoft ACPI-Compliant System
IRQ 444  Exclusive  Microsoft ACPI-Compliant System
IRQ 445  Exclusive  Microsoft ACPI-Compliant System
IRQ 446  Exclusive  Microsoft ACPI-Compliant System
IRQ 447  Exclusive  Microsoft ACPI-Compliant System
IRQ 448  Exclusive  Microsoft ACPI-Compliant System
IRQ 449  Exclusive  Microsoft ACPI-Compliant System
IRQ 450  Exclusive  Microsoft ACPI-Compliant System
IRQ 451  Exclusive  Microsoft ACPI-Compliant System
IRQ 452  Exclusive  Microsoft ACPI-Compliant System
IRQ 453  Exclusive  Microsoft ACPI-Compliant System
IRQ 454  Exclusive  Microsoft ACPI-Compliant System
IRQ 455  Exclusive  Microsoft ACPI-Compliant System
IRQ 456  Exclusive  Microsoft ACPI-Compliant System
IRQ 457  Exclusive  Microsoft ACPI-Compliant System
IRQ 458  Exclusive  Microsoft ACPI-Compliant System
IRQ 459  Exclusive  Microsoft ACPI-Compliant System
IRQ 460  Exclusive  Microsoft ACPI-Compliant System
IRQ 461  Exclusive  Microsoft ACPI-Compliant System
IRQ 462  Exclusive  Microsoft ACPI-Compliant System
IRQ 463  Exclusive  Microsoft ACPI-Compliant System
IRQ 464  Exclusive  Microsoft ACPI-Compliant System
IRQ 465  Exclusive  Microsoft ACPI-Compliant System
IRQ 466  Exclusive  Microsoft ACPI-Compliant System
IRQ 467  Exclusive  Microsoft ACPI-Compliant System
IRQ 468  Exclusive  Microsoft ACPI-Compliant System
IRQ 469  Exclusive  Microsoft ACPI-Compliant System
IRQ 470  Exclusive  Microsoft ACPI-Compliant System
IRQ 471  Exclusive  Microsoft ACPI-Compliant System
IRQ 472  Exclusive  Microsoft ACPI-Compliant System
IRQ 473  Exclusive  Microsoft ACPI-Compliant System
IRQ 474  Exclusive  Microsoft ACPI-Compliant System
IRQ 475  Exclusive  Microsoft ACPI-Compliant System
IRQ 476  Exclusive  Microsoft ACPI-Compliant System
IRQ 477  Exclusive  Microsoft ACPI-Compliant System
IRQ 478  Exclusive  Microsoft ACPI-Compliant System
IRQ 479  Exclusive  Microsoft ACPI-Compliant System
IRQ 480  Exclusive  Microsoft ACPI-Compliant System
IRQ 481  Exclusive  Microsoft ACPI-Compliant System
IRQ 482  Exclusive  Microsoft ACPI-Compliant System
IRQ 483  Exclusive  Microsoft ACPI-Compliant System
IRQ 484  Exclusive  Microsoft ACPI-Compliant System
IRQ 485  Exclusive  Microsoft ACPI-Compliant System
IRQ 486  Exclusive  Microsoft ACPI-Compliant System
IRQ 487  Exclusive  Microsoft ACPI-Compliant System
IRQ 488  Exclusive  Microsoft ACPI-Compliant System
IRQ 489  Exclusive  Microsoft ACPI-Compliant System
IRQ 490  Exclusive  Microsoft ACPI-Compliant System
IRQ 491  Exclusive  Microsoft ACPI-Compliant System
IRQ 492  Exclusive  Microsoft ACPI-Compliant System
IRQ 493  Exclusive  Microsoft ACPI-Compliant System
IRQ 494  Exclusive  Microsoft ACPI-Compliant System
IRQ 495  Exclusive  Microsoft ACPI-Compliant System
IRQ 496  Exclusive  Microsoft ACPI-Compliant System
IRQ 497  Exclusive  Microsoft ACPI-Compliant System
IRQ 498  Exclusive  Microsoft ACPI-Compliant System
IRQ 499  Exclusive  Microsoft ACPI-Compliant System
IRQ 500  Exclusive  Microsoft ACPI-Compliant System
IRQ 501  Exclusive  Microsoft ACPI-Compliant System
IRQ 502  Exclusive  Microsoft ACPI-Compliant System
IRQ 503  Exclusive  Microsoft ACPI-Compliant System
IRQ 504  Exclusive  Microsoft ACPI-Compliant System
IRQ 505  Exclusive  Microsoft ACPI-Compliant System
IRQ 506  Exclusive  Microsoft ACPI-Compliant System
IRQ 507  Exclusive  Microsoft ACPI-Compliant System
IRQ 508  Exclusive  Microsoft ACPI-Compliant System
IRQ 509  Exclusive  Microsoft ACPI-Compliant System
IRQ 510  Exclusive  Microsoft ACPI-Compliant System
IRQ 511  Exclusive  Microsoft ACPI-Compliant System
IRQ 55  Exclusive  Microsoft ACPI-Compliant System
IRQ 56  Exclusive  Microsoft ACPI-Compliant System
IRQ 57  Exclusive  Microsoft ACPI-Compliant System
IRQ 58  Exclusive  Microsoft ACPI-Compliant System
IRQ 59  Exclusive  Microsoft ACPI-Compliant System
IRQ 60  Exclusive  Microsoft ACPI-Compliant System
IRQ 61  Exclusive  Microsoft ACPI-Compliant System
IRQ 62  Exclusive  Microsoft ACPI-Compliant System
IRQ 63  Exclusive  Microsoft ACPI-Compliant System
IRQ 64  Exclusive  Microsoft ACPI-Compliant System
IRQ 65  Exclusive  Microsoft ACPI-Compliant System
IRQ 65536  Exclusive  Intel(R) USB 3.10 eXtensible Host Controller - 1.10 (Microsoft)
IRQ 65536  Exclusive  Intel(R) USB 3.10 eXtensible Host Controller - 1.10 (Microsoft)
IRQ 65536  Exclusive  Intel(R) Wi-Fi 6 AX201 160MHz
IRQ 65536  Exclusive  Intel(R) Wi-Fi 6 AX201 160MHz
IRQ 65536  Exclusive  Intel(R) Management Engine Interface
IRQ 65536  Exclusive  Thunderbolt(TM) Controller - 8A17
IRQ 65536  Exclusive  Thunderbolt(TM) Controller - 8A17
IRQ 65536  Exclusive  Thunderbolt(TM) Controller - 8A17
IRQ 65536  Exclusive  Thunderbolt(TM) Controller - 8A17
IRQ 65536  Exclusive  Thunderbolt(TM) Controller - 8A17
IRQ 65536  Exclusive  Thunderbolt(TM) Controller - 8A17
IRQ 65536  Exclusive  Thunderbolt(TM) Controller - 8A17
IRQ 65536  Exclusive  Thunderbolt(TM) Controller - 8A17
IRQ 65536  Exclusive  Thunderbolt(TM) Controller - 8A17
IRQ 65536  Exclusive  Thunderbolt(TM) Controller - 8A17
IRQ 65536  Exclusive  Thunderbolt(TM) Controller - 8A17
IRQ 65536  Exclusive  Thunderbolt(TM) Controller - 8A17
IRQ 65536  Exclusive  Thunderbolt(TM) Controller - 8A17
IRQ 65536  Exclusive  Thunderbolt(TM) Controller - 8A17
IRQ 65536  Exclusive  Thunderbolt(TM) Controller - 8A17
IRQ 65536  Exclusive  Thunderbolt(TM) Controller - 8A17
IRQ 65536  Exclusive  Intel(R) Iris(R) Plus Graphics
IRQ 65536  Exclusive  Standard NVM Express Controller
IRQ 65536  Exclusive  Standard NVM Express Controller
IRQ 65536  Exclusive  Standard NVM Express Controller
IRQ 65536  Exclusive  Standard NVM Express Controller
IRQ 65536  Exclusive  Standard NVM Express Controller
IRQ 65536  Exclusive  Standard NVM Express Controller
IRQ 65536  Exclusive  Standard NVM Express Controller
IRQ 65536  Exclusive  Standard NVM Express Controller
IRQ 65536  Exclusive  Standard NVM Express Controller
IRQ 65536  Exclusive  Standard NVM Express Controller
IRQ 65536  Exclusive  Standard NVM Express Controller
IRQ 65536  Exclusive  Standard NVM Express Controller
IRQ 65536  Exclusive  Standard NVM Express Controller
IRQ 65536  Exclusive  Standard NVM Express Controller
IRQ 65536  Exclusive  Standard NVM Express Controller
IRQ 65536  Exclusive  Standard NVM Express Controller
IRQ 65536  Exclusive  Standard NVM Express Controller
IRQ 66  Exclusive  Microsoft ACPI-Compliant System
IRQ 67  Exclusive  Microsoft ACPI-Compliant System
IRQ 68  Exclusive  Microsoft ACPI-Compliant System
IRQ 69  Exclusive  Microsoft ACPI-Compliant System
IRQ 70  Exclusive  Microsoft ACPI-Compliant System
IRQ 71  Exclusive  Microsoft ACPI-Compliant System
IRQ 72  Exclusive  Microsoft ACPI-Compliant System
IRQ 73  Exclusive  Microsoft ACPI-Compliant System
IRQ 74  Exclusive  Microsoft ACPI-Compliant System
IRQ 75  Exclusive  Microsoft ACPI-Compliant System
IRQ 76  Exclusive  Microsoft ACPI-Compliant System
IRQ 77  Exclusive  Microsoft ACPI-Compliant System
IRQ 78  Exclusive  Microsoft ACPI-Compliant System
IRQ 79  Exclusive  Microsoft ACPI-Compliant System
IRQ 80  Exclusive  Microsoft ACPI-Compliant System
IRQ 81  Exclusive  Microsoft ACPI-Compliant System
IRQ 82  Exclusive  Microsoft ACPI-Compliant System
IRQ 83  Exclusive  Microsoft ACPI-Compliant System
IRQ 84  Exclusive  Microsoft ACPI-Compliant System
IRQ 85  Exclusive  Microsoft ACPI-Compliant System
IRQ 86  Exclusive  Microsoft ACPI-Compliant System
IRQ 87  Exclusive  Microsoft ACPI-Compliant System
IRQ 88  Exclusive  Microsoft ACPI-Compliant System
IRQ 89  Exclusive  Microsoft ACPI-Compliant System
IRQ 90  Exclusive  Microsoft ACPI-Compliant System
IRQ 91  Exclusive  Microsoft ACPI-Compliant System
IRQ 92  Exclusive  Microsoft ACPI-Compliant System
IRQ 93  Exclusive  Microsoft ACPI-Compliant System
IRQ 94  Exclusive  Microsoft ACPI-Compliant System
IRQ 95  Exclusive  Microsoft ACPI-Compliant System
IRQ 96  Exclusive  Microsoft ACPI-Compliant System
IRQ 97  Exclusive  Microsoft ACPI-Compliant System
IRQ 98  Exclusive  Microsoft ACPI-Compliant System
IRQ 98  Exclusive  I2C HID Device
IRQ 99  Exclusive  Microsoft ACPI-Compliant System
Memory 00000000-0FFFFFFF  Exclusive  Intel(R) Iris(R) Plus Graphics
Memory 00000000-1BFFFFFF  Exclusive  PCI Express Root Port
Memory 000A0000-000BFFFF  Shared  PCI Express Root Complex
Memory 1C000000-1CFFFFFF  Exclusive  Intel(R) Iris(R) Plus Graphics
Memory 1D100000-1D13FFFF  Exclusive  Thunderbolt(TM) Controller - 8A17
Memory 1D140000-1D14FFFF  Exclusive  Intel(R) USB 3.10 eXtensible Host Controller - 1.10 (Microsoft)
Memory 1D181000-1D181FFF  Exclusive  Thunderbolt(TM) Controller - 8A17
Memory 400C0000-45D7FFFF  Exclusive  Intel(R) Software Guard Extensions Device
Memory 4D400000-BFFFFFFF  Shared  PCI Express Root Complex
Memory 4E000000-5A1FFFFF  Exclusive  PCI Express Root Port
Memory 5A200000-5A203FFF  Exclusive  Standard NVM Express Controller
Memory 5A200000-5A2FFFFF  Exclusive  Intel(R) PCI Express Root Port #13 - 34B4
Memory 5A204000-5A205FFF  Exclusive  Standard NVM Express Controller
Memory 5A300000-5A303FFF  Exclusive  Standard NVM Express Controller
Memory 5A300000-5A3FFFFF  Exclusive  Intel(R) PCI Express Root Port #9 - 34B0
Memory FD690000-FD69FFFF  Exclusive  Intel(R) Serial IO GPIO Host Controller - INT3455
Memory FD6A0000-FD6AFFFF  Exclusive  Intel(R) Serial IO GPIO Host Controller - INT3455
Memory FD6D0000-FD6DFFFF  Exclusive  Intel(R) Serial IO GPIO Host Controller - INT3455
Memory FD6E0000-FD6EFFFF  Exclusive  Intel(R) Serial IO GPIO Host Controller - INT3455
Memory FED40000-FED44FFF  Exclusive  Trusted Platform Module 2.0
Memory FFED0000-FFEDFFFF  Exclusive  Intel(R) Dynamic Tuning Processor Participant
Memory FFEE3000-FFEE3FFF  Exclusive  Intel(R) Serial IO I2C Host Controller - 34E9
Memory FFEE4000-FFEE4FFF  Exclusive  Intel(R) Serial IO I2C Host Controller - 34E8
Memory FFEE5000-FFEE5FFF  Exclusive  Intel(R) Management Engine Interface
Memory FFEE6000-FFEE6FFF  Exclusive  Intel(R) Serial IO UART Host Controller - 34A8
Memory FFEE7000-FFEE7FFF  Exclusive  Intel(R) Serial IO SPI Host Controller - 34AB
Memory FFEE8000-FFEEBFFF  Exclusive  Intel(R) Wi-Fi 6 AX201 160MHz
Memory FFEEC000-FFEEFFFF  Exclusive  High Definition Audio Controller
Memory FFEF0000-FFEFFFFF  Exclusive  Intel(R) USB 3.10 eXtensible Host Controller - 1.10 (Microsoft)
Memory FFF00000-FFFFFFFF  Exclusive  High Definition Audio Controller
Port 0000-0CF7  Shared  PCI Express Root Complex
Port 0060-0060  Exclusive  Standard PS/2 Keyboard
Port 0062-0062  Exclusive  Microsoft ACPI-Compliant Embedded Controller
Port 0064-0064  Exclusive  Standard PS/2 Keyboard
Port 0066-0066  Exclusive  Microsoft ACPI-Compliant Embedded Controller
Port 0D00-FFFF  Shared  PCI Express Root Complex
Port 2000-203F  Exclusive  Intel(R) Iris(R) Plus Graphics


Input

 
[ Standard PS/2 Keyboard ]
 
Keyboard Properties:
Keyboard Name  Standard PS/2 Keyboard
Keyboard Type  Japanese keyboard
Keyboard Layout  US
ANSI Code Page  1252 - Western European (Windows)
OEM Code Page  437
Repeat Delay  1
Repeat Rate  31
 
[ HID-compliant mouse ]
 
Mouse Properties:
Mouse Name  HID-compliant mouse
Mouse Buttons  2
Mouse Hand  Right
Pointer Speed  1
Double-Click Time  500 msec
X/Y Threshold  6 / 10
Wheel Scroll Lines  3
 
Mouse Features:
Active Window Tracking  Disabled
ClickLock  Disabled
Hide Pointer While Typing  Enabled
Mouse Wheel  Not Present
Move Pointer To Default Button  Disabled
Pointer Trails  Disabled
Sonar  Disabled


Printers

 
[ Fax ]
 
Printer Properties:
Printer Name  Fax
Default Printer  No
Share Point  Not shared
Printer Port  SHRFAX:
Printer Driver  Microsoft Shared Fax Driver (v4.00)
Device Name  Fax
Print Processor  winprint
Separator Page  None
Availability  9:00 AM - 9:00 AM
Priority  1
Print Jobs Queued  0
Status  Unknown
 
Paper Properties:
Paper Size  Letter, 8.5 x 11 in
Orientation  Portrait
Print Quality  200 x 200 dpi Mono
 
[ Microsoft Print to PDF (Default) ]
 
Printer Properties:
Printer Name  Microsoft Print to PDF
Default Printer  Yes
Share Point  Not shared
Printer Port  PORTPROMPT:
Printer Driver  Microsoft Print To PDF (v6.03)
Device Name  Microsoft Print to PDF
Print Processor  winprint
Separator Page  None
Availability  9:00 AM - 9:00 AM
Priority  1
Print Jobs Queued  0
Status  Unknown
 
Paper Properties:
Paper Size  Letter, 8.5 x 11 in
Orientation  Portrait
Print Quality  600 x 600 dpi Color
 
[ Microsoft XPS Document Writer ]
 
Printer Properties:
Printer Name  Microsoft XPS Document Writer
Default Printer  No
Share Point  Not shared
Printer Port  PORTPROMPT:
Printer Driver  Microsoft XPS Document Writer v4 (v6.03)
Device Name  Microsoft XPS Document Writer
Print Processor  winprint
Separator Page  None
Availability  9:00 AM - 9:00 AM
Priority  1
Print Jobs Queued  0
Status  Unknown
 
Paper Properties:
Paper Size  Letter, 8.5 x 11 in
Orientation  Portrait
Print Quality  600 x 600 dpi Color


Auto Start

 
Application Description  Start From  Application Command
Application Restart #0  Registry\User\RunOnce  C:\Program Files (x86)\LG Software\LG Reader Mode\ReaderMode.exe /RestartByRestartManager:489B6367-3D3F-4638-BEF6-8493A7EA14F6 /RestartByRestartManager:48D04C44-CB08-40ab-A8F8-7751BE8B808A /RestartByRestartManager:613D8D11-B1CC-49d9-B3E4-4F7627FA61E4 /RestartByRestartManager:CF4F0A22-FE78-42c5-B9E2-7B42171E1926
HotkeyManager  Registry\Common\Run  C:\Program Files (x86)\LG Software\LG OSD\HotkeyManager.exe
LGControlCenter  Registry\Common\Run  C:\Program Files (x86)\LG Software\LG Control Center\LGControlCenterRTManager.exe
OneDrive  Registry\User\Run  C:\Users\redblue\AppData\Local\Microsoft\OneDrive\OneDrive.exe /background
ReaderMode  Registry\Common\Run  C:\Program Files (x86)\LG Software\LG Reader Mode\ReaderMode.exe
SecurityHealth  Registry\Common\Run  %windir%\system32\SecurityHealthSystray.exe
SmartAudio  Registry\Common\Run  C:\Program Files (x86)\CONEXANT\SAII\SACpl.exe /c /delay:60


Scheduled

 
[ GoogleUpdateTaskMachineCore ]
 
Task Properties:
Task Name  GoogleUpdateTaskMachineCore
Status  Running
Application Name  C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Application Parameters  /c
Working Folder  
Comment  Keeps your Google software up to date. If this task is disabled or stopped, your Google software will not be kept up to date, meaning security vulnerabilities that may arise cannot be fixed and features may not work. This task uninstalls itself when there is no Google software using it.
Account Name  NT AUTHORITY\SYSTEM
Creator  
Last Run  3/18/2020 1:10:37 PM
Next Run  3/19/2020 10:49:09 AM
 
Task Triggers:
At log on  At log on of any user
Daily  At 10:49:09 AM every day
 
[ GoogleUpdateTaskMachineUA ]
 
Task Properties:
Task Name  GoogleUpdateTaskMachineUA
Status  Enabled
Application Name  C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Application Parameters  /ua /installsource scheduler
Working Folder  
Comment  Keeps your Google software up to date. If this task is disabled or stopped, your Google software will not be kept up to date, meaning security vulnerabilities that may arise cannot be fixed and features may not work. This task uninstalls itself when there is no Google software using it.
Account Name  NT AUTHORITY\SYSTEM
Creator  
Last Run  3/18/2020 1:10:37 PM
Next Run  3/18/2020 1:49:09 PM
 
Task Triggers:
Daily  At 10:49:09 AM every day - After triggered, repeat every 1 hour for a duration of 1 day
 
[ LGUpdateCenter ]
 
Task Properties:
Task Name  LGUpdateCenter
Status  Enabled
Application Name  C:\Program Files (x86)\LG Software\LG Update Center\UCUpdate.exe
Application Parameters  TrayRequired
Working Folder  
Comment  
Account Name  
Creator  LG Electronics Inc.
Last Run  3/18/2020 1:11:13 PM
Next Run  3/18/2020 4:00:00 PM
 
Task Triggers:
Weekly  At 4:00:00 PM every Sunday, Monday, Tuesday, Wednesday, Thursday, Friday, Saturday of every week, starting 3/17/2020
At log on  At log on of any user
 
[ MicrosoftEdgeUpdateTaskMachineCore ]
 
Task Properties:
Task Name  MicrosoftEdgeUpdateTaskMachineCore
Status  Running
Application Name  C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
Application Parameters  /c
Working Folder  
Comment  Keeps your Microsoft software up to date. If this task is disabled or stopped, your Microsoft software will not be kept up to date, meaning security vulnerabilities that may arise cannot be fixed and features may not work. This task uninstalls itself when there is no Microsoft software using it.
Account Name  NT AUTHORITY\SYSTEM
Creator  
Last Run  3/18/2020 1:10:37 PM
Next Run  3/19/2020 11:40:55 AM
 
Task Triggers:
At log on  At log on of any user
Daily  At 11:40:55 AM every day
 
[ MicrosoftEdgeUpdateTaskMachineUA ]
 
Task Properties:
Task Name  MicrosoftEdgeUpdateTaskMachineUA
Status  Enabled
Application Name  C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
Application Parameters  /ua /installsource scheduler
Working Folder  
Comment  Keeps your Microsoft software up to date. If this task is disabled or stopped, your Microsoft software will not be kept up to date, meaning security vulnerabilities that may arise cannot be fixed and features may not work. This task uninstalls itself when there is no Microsoft software using it.
Account Name  NT AUTHORITY\SYSTEM
Creator  
Last Run  3/18/2020 1:10:37 PM
Next Run  3/18/2020 1:40:55 PM
 
Task Triggers:
Daily  At 11:40:55 AM every day - After triggered, repeat every 1 hour for a duration of 1 day
 
[ OneDrive Standalone Update Task-S-1-5-21-4230960370-218822903-690480705-1002 ]
 
Task Properties:
Task Name  OneDrive Standalone Update Task-S-1-5-21-4230960370-218822903-690480705-1002
Status  Enabled
Application Name  %localappdata%\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe
Application Parameters  
Working Folder  
Comment  
Account Name  DESKTOP-UT5JEJD\redblue
Creator  Microsoft Corporation
Last Run  11/30/1999
Next Run  3/19/2020 12:23:55 PM
 
Task Triggers:
One time  At 11:00:00 AM on 5/1/1992 - After triggered, repeat every 1 day indefinitely
 
[ OneDrive Standalone Update Task-S-1-5-21-4230960370-218822903-690480705-500 ]
 
Task Properties:
Task Name  OneDrive Standalone Update Task-S-1-5-21-4230960370-218822903-690480705-500
Status  Enabled
Application Name  %localappdata%\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe
Application Parameters  
Working Folder  
Comment  
Account Name  DESKTOP-UT5JEJD\Administrator
Creator  Microsoft Corporation
Last Run  2/21/2020 2:57:18 PM
Next Run  3/20/2020 2:38:02 AM
 
Task Triggers:
One time  At 4:00:00 AM on 5/1/1992 - After triggered, repeat every 1 day indefinitely
 
[ PandaCloseProxyStartUp ]
 
Task Properties:
Task Name  PandaCloseProxyStartUp
Status  Enabled
Application Name  C:/Users/redblue/AppData/Roaming/Panda/CloseProxy.exe
Application Parameters  
Working Folder  
Comment  
Account Name  DESKTOP-UT5JEJD\redblue
Creator  DESKTOP-UT5JEJD\redblue
Last Run  3/18/2020 11:58:45 AM
Next Run  Unknown
 
Task Triggers:
At log on  At log on of any user
 
[ PandaStartUp ]
 
Task Properties:
Task Name  PandaStartUp
Status  Enabled
Application Name  C:/Users/redblue/AppData/Roaming/Panda/Panda.exe
Application Parameters  
Working Folder  
Comment  
Account Name  DESKTOP-UT5JEJD\redblue
Creator  DESKTOP-UT5JEJD\redblue
Last Run  3/18/2020 11:58:45 AM
Next Run  Unknown
 
Task Triggers:
At log on  At log on of any user


Installed Programs

 
Program  Version  Inst. Size  GUID  Publisher  Inst. Date
7-Zip 20.00 alpha (x64)  20.00 alpha  Unknown  7-Zip  Igor Pavlov  
Dynamic Application Loader Host Interface Service  1.0.0.0  Unknown  {8FC67B0C-B68D-4AE3-AE58-1FD5FC7A3432}  Intel Corporation  2019-12-26
Google Chrome  80.0.3987.149  Unknown  Google Chrome  Google LLC  2020-03-18
Google Update Helper  1.3.35.441  Unknown  {60EC980A-BDA2-4CB6-A427-B07A5498B4CA}  Google LLC  2020-03-18
Intel(R) Chipset Device Software  10.1.18121.8164  Unknown  {00C43022-CFDA-4942-9D3F-04199C91C939}  Intel Corporation  2019-12-26
Intel(R) Dynamic Tuning  8.6.10401.9906  Unknown  {654EE65D-FAA4-4EA6-8C07-DC94E6A304D4}  Intel Corporation  
Intel(R) Icls  1.0.0.0  Unknown  {E84A5854-223A-4220-B6EE-9621EDF8B299}  Intel Corporation  2019-12-26
Intel(R) LMS  1.0.0.0  Unknown  {36DA6E10-C160-4F1D-85F8-F6A1E4FE9EDC}  Intel Corporation  2019-12-26
Intel(R) Management Engine Components  1.0.0.0  Unknown  {8AD2B189-4EB4-4C6C-9696-E6DEEA7CB85E}  Intel Corporation  2019-12-26
Intel(R) Management Engine Components  1938.13.0.1312  Unknown  {1CEAC85D-2590-4760-800F-8DE5E91F3700}  Intel Corporation  
Intel(R) Management Engine Driver  1.0.0.0  Unknown  {8FCDCB46-0C6D-41FE-AAF5-349EC9ECEF0E}  Intel Corporation  2019-12-26
Intel(R) OEM Extension  1.0.0.0  Unknown  {E060FE01-D531-4A50-AEDF-C348C4A5276C}  Intel Corporation  2019-12-26
Intel(R) Serial IO  30.100.1932.6  Unknown  {7975829D-14B7-4C01-808C-414C898CD39A}  Intel Corporation  2019-12-26
LG Control Center  1.0.1912.601  Unknown  {6E274140-DCD0-4FF1-9F9C-26F62B51F44D}  LG Electronics Inc.  2019-12-26
LG Device Manager  1.0.2001.1702  Unknown  {29B3EDEF-C8F6-408E-AE67-53AF1B143032}  LG Electronics Inc.  2020-03-18
LG On Screen Display 3  1.0.1912.301  Unknown  {CDF8BA0D-9707-4F6B-A7A8-D9F536EF49B0}  LG Electronics Inc.  2020-03-18
LG Reader Mode  1.0.1912.301  Unknown  {6BBDD2CD-CCB4-4184-98EE-6A29F911A763}  LG Electronics Inc.  2020-03-18
LG Update Center  1.0.2002.1001  Unknown  {70844FF3-F678-4FDB-90CB-7132F030783E}  LG Electronics Inc.  2019-12-26
Microsoft Edge Update  1.3.121.21  Unknown  Microsoft Edge Update    
Microsoft Edge  80.0.361.66  Unknown  Microsoft Edge  Microsoft Corporation  2020-03-18
Microsoft Office 365 - en-us  16.0.12527.20278  Unknown  O365HomePremRetail - en-us  Microsoft Corporation  
Microsoft Office 365 - zh-cn  16.0.12527.20278  Unknown  O365HomePremRetail - zh-cn  Microsoft Corporation  
Microsoft OneDrive  19.232.1124.0008  Unknown  OneDriveSetup.exe  Microsoft Corporation  
Microsoft VC++ redistributables repacked.  12.0.0.0  Unknown  {D035779D-526D-4400-A9AA-A7E6172C1B5D}  Intel Corporation  2019-12-26
Microsoft Visual C++ 2012 RC Redistributable (x86) - 11.0.50522  11.0.50522.0  Unknown  {3184be55-c1cb-41c6-9e2c-e3ee15eed812}  Microsoft Corporation  
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030  11.0.61030.0  Unknown  {ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}  Microsoft Corporation  
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030  11.0.61030.0  Unknown  {33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}  Microsoft Corporation  
Microsoft Visual C++ 2012 x64 Additional Runtime - 11.0.61030  11.0.61030  Unknown  {37B8F9C7-03FB-3253-8781-2517C99D7C00}  Microsoft Corporation  2019-12-26
Microsoft Visual C++ 2012 x64 Minimum Runtime - 11.0.61030  11.0.61030  Unknown  {CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}  Microsoft Corporation  2019-12-26
Microsoft Visual C++ 2012 x86 Additional Runtime - 11.0.50522  11.0.50522  Unknown  {A420789F-926D-3CC1-976F-EA60683BF78F}  Microsoft Corporation  2019-12-26
Microsoft Visual C++ 2012 x86 Additional Runtime - 11.0.61030  11.0.61030  Unknown  {B175520C-86A2-35A7-8619-86DC379688B9}  Microsoft Corporation  2019-12-26
Microsoft Visual C++ 2012 x86 Minimum Runtime - 11.0.50522  11.0.50522  Unknown  {9890E3FE-F661-3A95-92B5-62B3312C7787}  Microsoft Corporation  2019-12-26
Microsoft Visual C++ 2012 x86 Minimum Runtime - 11.0.61030  11.0.61030  Unknown  {BD95A8CD-1D9F-35AD-981A-3E7925026EBB}  Microsoft Corporation  2019-12-26
Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.23026  14.0.23026.0  Unknown  {e46eca4f-393b-40df-9f49-076faf788d83}  Microsoft Corporation  
Microsoft Visual C++ 2015 x64 Additional Runtime - 14.0.23026  14.0.23026  Unknown  {BC958BD2-5DAC-3862-BB1A-C1BE0790438D}  Microsoft Corporation  2019-12-26
Microsoft Visual C++ 2015 x64 Minimum Runtime - 14.0.23026  14.0.23026  Unknown  {0D3E9E15-DE7A-300B-96F1-B4AF12B96488}  Microsoft Corporation  2019-12-26
Office 16 Click-to-Run Extensibility Component  16.0.12527.20278  Unknown  {90160000-008C-0000-1000-0000000FF1CE}  Microsoft Corporation  2020-03-18
Office 16 Click-to-Run Licensing Component  16.0.12527.20242  Unknown  {90160000-007E-0000-1000-0000000FF1CE}  Microsoft Corporation  2020-03-18
Office 16 Click-to-Run Localization Component [chinese (simplified, china)]  16.0.12527.20278  Unknown  {90160000-008C-0804-1000-0000000FF1CE}  Microsoft Corporation  2020-03-18
Office 16 Click-to-Run Localization Component  16.0.12527.20278  Unknown  {90160000-008C-0409-1000-0000000FF1CE}  Microsoft Corporation  2020-03-18
Panda version 4.0.0  4.0.0  Unknown  {78DEFD5D-2CFE-4A15-B24B-9E6F079DC611}_is1  Panda  2020-03-18
TAP-Windows 9.21.2  9.21.2  Unknown  TAP-Windows    
TIM  2.3.2.21173  Unknown  TIM  ????(??)????  


Licenses

 
Software  Product Key
Microsoft Internet Explorer 11.719.18362.0  KG4NF-VHXBD-VH2MD-7BMMD-H22HF
Microsoft Windows 10 Home  KG4NF-VHXBD-VH2MD-7BMMD-H22HF


File Types

 
Extension  File Type Description  Content Type
001  001 Archive  
386  Virtual Device Driver  
3G2  3GPP2 Audio/Video  video/3gpp2
3GP  3GPP Audio/Video  video/3gpp
3GP2  3GPP2 Audio/Video  video/3gpp2
3GPP  3GPP Audio/Video  video/3gpp
7Z  7z Archive  
AAC  ADTS Audio  audio/vnd.dlna.adts
ACCDA  Microsoft Access Add-in  application/msaccess.addin
ACCDB  Microsoft Access Database  application/msaccess
ACCDC  Microsoft Access Signed Package  application/msaccess.cab
ACCDE  Microsoft Access ACCDE Database  application/msaccess.exec
ACCDR  Microsoft Access Runtime Application  application/msaccess.runtime
ACCDT  Microsoft Access Template  application/msaccess.template
ACCDU  Microsoft Access Add-in Data  
ACCDW  Microsoft Access Web Application  application/msaccess.webapplication
ACCFT  Microsoft Access Template  application/msaccess.ftemplate
ACCOUNTPICTURE-MS  Account Picture File  application/windows-accountpicture
ACL  AutoCorrect List File  
ADE  Microsoft Access Project Extension  application/msaccess
ADN  Microsoft Access Blank Project Template  
ADP  Microsoft Access Project  application/msaccess
ADT  ADTS Audio  audio/vnd.dlna.adts
ADTS  ADTS Audio  audio/vnd.dlna.adts
AIF  AIFF Format Sound  audio/aiff
AIFC  AIFF Format Sound  audio/aiff
AIFF  AIFF Format Sound  audio/aiff
ANI  Animated Cursor  
APPCONTENT-MS  Application Content  application/windows-appcontent+xml
APPLICATION  Application Manifest  application/x-ms-application
APPREF-MS  Application Reference  
ARJ  arj Archive  
ASA  ASA File  
ASF  Windows Media Audio/Video file  video/x-ms-asf
ASP  ASP File  
ASX  Windows Media Audio/Video playlist  video/x-ms-asf
AU  AU Format Sound  audio/basic
AVI  Video Clip  video/avi
AW  Answer Wizard File  
BAT  Windows Batch File  
BLG  Performance Monitor File  
BMP  Bitmap Image  image/bmp
BZ2  bz2 Archive  
BZIP2  bzip2 Archive  
CAB  Cabinet File  
CAMP  WCS Viewing Condition Profile  
CAT  Security Catalog  application/vnd.ms-pki.seccat
CDA  CD Audio Track  
CDMP  WCS Device Profile  
CDX  CDX File  
CDXML  CDXML File  
CER  Security Certificate  application/x-x509-ca-cert
CHK  Recovered File Fragments  
CHM  Compiled HTML Help file  
CMD  Windows Command Script  
COM  MS-DOS Application  
COMPOSITEFONT  Composite Font File  
CPIO  cpio Archive  
CPL  Control Panel Item  
CRL  Certificate Revocation List  application/pkix-crl
CRT  Security Certificate  application/x-x509-ca-cert
CRTX  Microsoft Office Chart Template  
CSS  Cascading Style Sheet Document  text/css
CSV  Microsoft Excel Comma Separated Values File  application/vnd.ms-excel
CUR  Cursor  
DB  Data Base File  
DCTX  Open Extended Dictionary  
DCTXC  Open Extended Dictionary  
DDS  DDS Image  image/vnd.ms-dds
DEB  deb Archive  
DER  Security Certificate  application/x-x509-ca-cert
DESKLINK  Desktop Shortcut  
DESKTHEMEPACK  Windows Desktop Theme Pack  
DET  Office Data File  
DIAGCAB  Diagnostic Cabinet  
DIAGCFG  Diagnostic Configuration  
DIAGPKG  Diagnostic Document  
DIB  Bitmap Image  image/bmp
DIC  Text Document  
DLL  Application Extension  application/x-msdownload
DMG  dmg Archive  
DOC  Microsoft Word 97 - 2003 Document  application/msword
DOCHTML  Microsoft Word HTML Document  
DOCM  Microsoft Word Macro-Enabled Document  application/vnd.ms-word.document.macroEnabled.12
DOCMHTML  DOCMHTML File  
DOCX  Microsoft Word Document  application/vnd.openxmlformats-officedocument.wordprocessingml.document
DOCXML  Microsoft Word XML Document  
DOT  Microsoft Word 97 - 2003 Template  application/msword
DOTHTML  Microsoft Word HTML Template  
DOTM  Microsoft Word Macro-Enabled Template  application/vnd.ms-word.template.macroEnabled.12
DOTX  Microsoft Word Template  application/vnd.openxmlformats-officedocument.wordprocessingml.template
DQY  Microsoft Excel ODBC Query File  
DRV  Device Driver  
DSN  Microsoft OLE DB Provider for ODBC Drivers  
ELM  Microsoft Office Themes File  
EMF  EMF File  image/x-emf
EML  E-mail Message  
ESD  esd Archive  
EVT  EVT File  
EVTX  EVTX File  
EXC  Text Document  
EXE  Application  application/x-msdownload
FAT  fat Archive  
FDM  Outlook Form Definition  
FLAC  FLAC Audio  audio/x-flac
FON  Font file  
GCSX  Microsoft Office SmartArt Graphic Color Variation  
GIF  GIF Image  image/gif
GLOX  Microsoft Office SmartArt Graphic Layout  
GMMP  WCS Gamut Mapping Profile  
GQSX  Microsoft Office SmartArt Graphic Quick Style  
GRA  Microsoft Graph Chart  
GRP  Microsoft Program Group  
GZ  gz Archive  
GZIP  gzip Archive  
HFS  hfs Archive  
HLP  Help File  
HOL  Outlook Holidays  
HTA  HTML Application  application/hta
HTM  HTML Document  text/html
HTML  HTML Document  text/html
HXA  Microsoft Help Attribute Definition File  application/xml
HXC  Microsoft Help Collection Definition File  application/xml
HXD  Microsoft Help Validator File  application/octet-stream
HXE  Microsoft Help Samples Definition File  application/xml
HXF  Microsoft Help Include File  application/xml
HXH  Microsoft Help Merged Hierarchy File  application/octet-stream
HXI  Microsoft Help Compiled Index File  application/octet-stream
HXK  Microsoft Help Index File  application/xml
HXQ  Microsoft Help Merged Query Index File  application/octet-stream
HXR  Microsoft Help Merged Attribute Index File  application/octet-stream
HXS  Microsoft Help Compiled Storage File  application/octet-stream
HXT  Microsoft Help Table of Contents File  application/xml
HXV  Microsoft Help Virtual Topic Definition File  application/xml
HXW  Microsoft Help Attribute Definition File  application/octet-stream
ICC  ICC Profile  
ICL  Icon Library  
ICM  ICC Profile  
ICO  Icon  image/x-icon
ICS  iCalendar File  text/calendar
IGP  Intel Graphics Profiles  
IMESX  IME Search provider definition  
IMG  Disc Image File  
INF  Setup Information  
INI  Configuration Settings  
IQY  Microsoft Excel Web Query File  text/x-ms-iqy
ISO  Disc Image File  
JFIF  JPEG Image  image/jpeg
JOB  Task Scheduler Task Object  
JOD  Microsoft.Jet.OLEDB.4.0  
JPE  JPEG Image  image/jpeg
JPEG  JPEG Image  image/jpeg
JPG  JPEG Image  image/jpeg
JS  JavaScript File  
JSE  JScript Encoded File  
JXR  Windows Media Photo  image/vnd.ms-photo
LABEL  Property List  
LACCDB  Microsoft Access Record-Locking Information  
LDB  Microsoft Access Record-Locking Information  
LEX  Dictionary File  
LHA  lha Archive  
LIBRARY-MS  Library Folder  application/windows-library+xml
LNK  Shortcut  
LOG  Text Document  
LZH  lzh Archive  
LZMA  lzma Archive  
M1V  Movie Clip  video/mpeg
M2T  AVCHD Video  video/vnd.dlna.mpeg-tts
M2TS  AVCHD Video  video/vnd.dlna.mpeg-tts
M2V  Movie Clip  video/mpeg
M3U  M3U file  audio/x-mpegurl
M4A  MPEG-4 Audio  audio/mp4
M4V  MP4 Video  video/mp4
MAD  Microsoft Access Module Shortcut  
MAF  Microsoft Access Form Shortcut  
MAG  Microsoft Access Diagram Shortcut  
MAM  Microsoft Access Macro Shortcut  
MAPIMAIL  Mail Service  
MAQ  Microsoft Access Query Shortcut  
MAR  Microsoft Access Report Shortcut  
MAS  Microsoft Access Stored Procedure Shortcut  
MAT  Microsoft Access Table Shortcut  
MAU  MAU File  
MAV  Microsoft Access View Shortcut  
MAW  Microsoft Access Data Access Page Shortcut  
MDA  Microsoft Access Add-in  application/msaccess
MDB  Microsoft Access Database  application/msaccess
MDBHTML  Microsoft Access HTML Document  
MDE  Microsoft Access MDE Database  application/msaccess
MDN  Microsoft Access Blank Database Template  
MDT  Microsoft Access Add-in Data  
MDW  Microsoft Access Workgroup Information  
MHT  MHTML Document  message/rfc822
MHTML  MHTML Document  message/rfc822
MID  MIDI Sequence  audio/mid
MIDI  MIDI Sequence  audio/mid
MK3D  MK3D Video  
MKA  MKA Audio  audio/x-matroska
MKV  MKV Video  video/x-matroska
MLC  Language Pack File_  
MOD  Movie Clip  video/mpeg
MOV  QuickTime Movie  video/quicktime
MP2  MP3 Format Sound  audio/mpeg
MP2V  Movie Clip  video/mpeg
MP3  MP3 Format Sound  audio/mpeg
MP4  MP4 Video  video/mp4
MP4V  MP4 Video  video/mp4
MPA  Movie Clip  audio/mpeg
MPE  Movie Clip  video/mpeg
MPEG  Movie Clip  video/mpeg
MPG  Movie Clip  video/mpeg
MPV2  Movie Clip  video/mpeg
MSC  Microsoft Common Console Document  
MSG  Outlook Item  
MSI  Windows Installer Package  
MSP  Windows Installer Patch  
MSRCINCIDENT  Windows Remote Assistance Invitation  
MSSTYLES  Windows Visual Style File  
MSU  Microsoft Update Standalone Package  
MS-WINDOWS-STORE-LICENSE  Windows Store License  
MTS  AVCHD Video  video/vnd.dlna.mpeg-tts
MYDOCS  MyDocs Drop Target  
NFO  MSInfo Configuration File  
NK2  Outlook Nickname File  
NST  Outlook Data File  
NTFS  ntfs Archive  
OCX  ActiveX control  
ODC  Microsoft Office Data Connection  text/x-ms-odc
ODCCUBEFILE  ODCCUBEFILE File  
ODCDATABASEFILE  ODCDATABASEFILE File  
ODCNEWFILE  ODCNEWFILE File  
ODCTABLECOLLECTIONFILE  ODCTABLECOLLECTIONFILE File  
ODCTABLEFILE  ODCTABLEFILE File  
ODP  OpenDocument Presentation  application/vnd.oasis.opendocument.presentation
ODS  OpenDocument Spreadsheet  application/vnd.oasis.opendocument.spreadsheet
ODT  OpenDocument Text  application/vnd.oasis.opendocument.text
OFS  Outlook Form Regions  
OFT  Outlook Item Template  
OLS  Office List Shortcut  application/vnd.ms-publisher
OPC  Microsoft Clean-up Wizard File  
OQY  Microsoft Excel OLAP Query File  
OSDX  OpenSearch Description File  application/opensearchdescription+xml
OST  Outlook Data File  
OTF  OpenType Font file  
OTM  Outlook VBA Project File  
P10  Certificate Request  application/pkcs10
P12  Personal Information Exchange  application/x-pkcs12
P7B  PKCS #7 Certificates  application/x-pkcs7-certificates
P7C  Digital ID File  application/pkcs7-mime
P7M  PKCS #7 MIME Message  application/pkcs7-mime
P7R  Certificate Request Response  application/x-pkcs7-certreqresp
P7S  PKCS #7 Signature  application/pkcs7-signature
PAB  Outlook Personal Address Book  
PARTIAL  Partial Download  
PBK  Dial-Up Phonebook  
PCB  PCB File  
PERFMONCFG  Performance Monitor Configuration  
PFM  Type 1 Font file  
PFX  Personal Information Exchange  application/x-pkcs12
PIF  Shortcut to MS-DOS Program  
PKO  Public Key Security Object  application/vnd.ms-pki.pko
PNF  Precompiled Setup Information  
PNG  PNG Image  image/png
POT  Microsoft PowerPoint 97-2003 Template  application/vnd.ms-powerpoint
POTHTML  Microsoft PowerPoint HTML Template  
POTM  Microsoft PowerPoint Macro-Enabled Design Template  application/vnd.ms-powerpoint.template.macroEnabled.12
POTX  Microsoft PowerPoint Template  application/vnd.openxmlformats-officedocument.presentationml.template
PPA  Microsoft PowerPoint 97-2003 Addin  application/vnd.ms-powerpoint
PPAM  Microsoft PowerPoint Addin  application/vnd.ms-powerpoint.addin.macroEnabled.12
PPKG  RunTime Provisioning Tool  
PPS  Microsoft PowerPoint 97-2003 Slide Show  application/vnd.ms-powerpoint
PPSM  Microsoft PowerPoint Macro-Enabled Slide Show  application/vnd.ms-powerpoint.slideshow.macroEnabled.12
PPSX  Microsoft PowerPoint Slide Show  application/vnd.openxmlformats-officedocument.presentationml.slideshow
PPT  Microsoft PowerPoint 97-2003 Presentation  application/vnd.ms-powerpoint
PPTHTML  Microsoft PowerPoint HTML Document  
PPTM  Microsoft PowerPoint Macro-Enabled Presentation  application/vnd.ms-powerpoint.presentation.macroEnabled.12
PPTMHTML  PPTMHTML File  
PPTX  Microsoft PowerPoint Presentation  application/vnd.openxmlformats-officedocument.presentationml.presentation
PPTXML  Microsoft PowerPoint XML Presentation  
PRF  PICS Rules File  application/pics-rules
PS1  PS1 File  
PS1XML  PS1XML File  
PSC1  PSC1 File  application/PowerShell
PSD1  PSD1 File  
PSM1  PSM1 File  
PSSC  PSSC File  
PST  Outlook Data File  
PUB  Microsoft Publisher Document  application/vnd.ms-publisher
PUBHTML  PUBHTML File  
PUBMHTML  PUBMHTML File  
PWZ  Microsoft PowerPoint Wizard  application/vnd.ms-powerpoint
QDS  Directory Query  
RAR  rar Archive  
RAT  Rating System File  application/rat-file
RDP  Remote Desktop Connection  
REG  Registration Entries  
RELS  XML Document  
RESMONCFG  Resource Monitor Configuration  
RLE  RLE File  
RLL  Application Extension  
RMI  MIDI Sequence  audio/mid
RPM  rpm Archive  
RQY  Microsoft Excel OLE DB Query File  text/x-ms-rqy
RTF  Rich Text Format  application/msword
SCF  File Explorer Command  
SCP  Text Document  
SCR  Screen saver  
SCT  Windows Script Component  text/scriptlet
SEARCHCONNECTOR-MS  Search Connector Folder  application/windows-search-connector+xml
SEARCH-MS  Saved Search  
SETTINGCONTENT-MS  Setting Content  
SFCACHE  ReadyBoost Cache File  
SLDM  Microsoft PowerPoint Macro-Enabled Slide  application/vnd.ms-powerpoint.slide.macroEnabled.12
SLDX  Microsoft PowerPoint Slide  application/vnd.openxmlformats-officedocument.presentationml.slide
SLK  Microsoft Excel SLK Data Import Format  application/vnd.ms-excel
SND  AU Format Sound  audio/basic
SPC  PKCS #7 Certificates  application/x-pkcs7-certificates
SPL  Shockwave Flash Object  application/futuresplash
SQUASHFS  squashfs Archive  
SST  Microsoft Serialized Certificate Store  application/vnd.ms-pki.certstore
SVG  SVG Document  image/svg+xml
SWF  Shockwave Flash Object  application/x-shockwave-flash
SWM  swm Archive  
SYMLINK  .symlink  
SYS  System file  
TAR  tar Archive  
TAZ  taz Archive  
TBZ  tbz Archive  
TBZ2  tbz2 Archive  
TGZ  tgz Archive  
THEME  Windows Theme File  
THEMEPACK  Windows Theme Pack  
THMX  Microsoft Office Theme  application/vnd.ms-officetheme
TIF  TIF File  image/tiff
TIFF  TIFF File  image/tiff
TPZ  tpz Archive  
TS  MPEG-2 TS Video  video/vnd.dlna.mpeg-tts
TTC  TrueType Collection Font file  
TTF  TrueType Font file  
TTS  MPEG-2 TS Video  video/vnd.dlna.mpeg-tts
TXT  Text Document  text/plain
TXZ  txz Archive  
UDL  Microsoft Data Link  
URL  URL File  
UXDC  UXDC File  
VBE  VBScript Encoded File  
VBS  VBScript Script File  
VCF  vCard File  text/x-vcard
VCS  vCalendar File  
VDW  Microsoft Visio Document  application/vnd.ms-visio.viewer
VDX  Microsoft Visio Document  application/vnd.ms-visio.viewer
VHD  Disc Image File  
VHDPMEM  Disc Image File  
VHDX  Disc Image File  
VSD  Microsoft Visio Document  application/vnd.ms-visio.viewer
VSDM  Microsoft Visio Document  application/vnd.ms-visio.viewer
VSDX  Microsoft Visio Document  application/vnd.ms-visio.viewer
VSS  Microsoft Visio Document  application/vnd.ms-visio.viewer
VSSM  Microsoft Visio Document  application/vnd.ms-visio.viewer
VSSX  Microsoft Visio Document  application/vnd.ms-visio.viewer
VST  Microsoft Visio Document  application/vnd.ms-visio.viewer
VSTM  Microsoft Visio Document  application/vnd.ms-visio.viewer
VSTO  VSTO Deployment Manifest  application/x-ms-vsto
VSTX  Microsoft Visio Document  application/vnd.ms-visio.viewer
VSX  Microsoft Visio Document  application/vnd.ms-visio.viewer
VTX  Microsoft Visio Document  application/vnd.ms-visio.viewer
VXD  Virtual Device Driver  
WAB  Address Book File  
WAV  Wave Sound  audio/wav
WAX  Windows Media Audio shortcut  audio/x-ms-wax
WBCAT  Windows Backup Catalog File  
WBK  Microsoft Word Backup Document  application/msword
WCX  Workspace Configuration File  
WDP  Windows Media Photo  image/vnd.ms-photo
WEBPNP  Web Point And Print File  
WEBSITE  Pinned Site Shortcut  application/x-mswebsite
WIM  wim Archive  
WIZ  Microsoft Word Wizard  application/msword
WIZHTML  Microsoft Access HTML Template  
WLL  WLL File  
WM  Windows Media Audio/Video file  video/x-ms-wm
WMA  Windows Media Audio file  audio/x-ms-wma
WMD  Windows Media Player Download Package  application/x-ms-wmd
WMDB  Windows Media Library  
WMF  WMF File  image/x-wmf
WMS  Windows Media Player Skin File  
WMV  Windows Media Audio/Video file  video/x-ms-wmv
WMX  Windows Media Audio/Video playlist  video/x-ms-wmx
WMZ  Windows Media Player Skin Package  application/x-ms-wmz
WPL  Windows Media playlist  application/vnd.ms-wpl
WSC  Windows Script Component  text/scriptlet
WSF  Windows Script File  
WSH  Windows Script Host Settings File  
WTX  Text Document  
WVX  Windows Media Audio/Video playlist  video/x-ms-wvx
XAML  Windows Markup File  application/xaml+xml
XAR  xar Archive  
XBAP  XAML Browser Application  application/x-ms-xbap
XEVGENXML  XEVGENXML File  
XHT  XHTML Document  application/xhtml+xml
XHTML  XHTML Document  application/xhtml+xml
XLA  Microsoft Excel Add-In  application/vnd.ms-excel
XLAM  Microsoft Excel Add-In  application/vnd.ms-excel.addin.macroEnabled.12
XLD  Microsoft Excel 5.0 DialogSheet  application/vnd.ms-excel
XLK  Microsoft Excel Backup File  application/vnd.ms-excel
XLL  Microsoft Excel XLL Add-In  application/vnd.ms-excel
XLM  Microsoft Excel 4.0 Macro  application/vnd.ms-excel
XLS  Microsoft Excel 97-2003 Worksheet  application/vnd.ms-excel
XLSB  Microsoft Excel Binary Worksheet  application/vnd.ms-excel.sheet.binary.macroEnabled.12
XLSHTML  Microsoft Excel HTML Document  
XLSM  Microsoft Excel Macro-Enabled Worksheet  application/vnd.ms-excel.sheet.macroEnabled.12
XLSMHTML  XLSMHTML File  
XLSX  Microsoft Excel Worksheet  application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
XLT  Microsoft Excel Template  application/vnd.ms-excel
XLTHTML  Microsoft Excel HTML Template  
XLTM  Microsoft Excel Macro-Enabled Template  application/vnd.ms-excel.template.macroEnabled.12
XLTX  Microsoft Excel Template  application/vnd.openxmlformats-officedocument.spreadsheetml.template
XLW  Microsoft Excel Workspace  application/vnd.ms-excel
XLXML  Microsoft Excel XML Worksheet  
XML  XML Document  text/xml
XRM-MS  XrML Digital License  text/xml
XSL  XSL Stylesheet  text/xml
XZ  xz Archive  
Z  z Archive  
ZFSENDTOTARGET  Compressed (zipped) Folder SendTo Target  
ZIP  zip Archive  


Windows Security

 
Operating System Properties:
OS Name  Microsoft Windows 10 Home
OS Service Pack  -
Winlogon Shell  explorer.exe
User Account Control (UAC)  Enabled
UAC Remote Restrictions  Enabled
System Restore  Enabled
Windows Update Agent  10.0.18362.1 (WinBuild.160101.0800)
 
Data Execution Prevention (DEP, NX, EDB):
Supported by Operating System  Yes
Supported by CPU  Yes
Active (To Protect Applications)  Yes
Active (To Protect Drivers)  Yes


Windows Update

 
Update Description  Update Type  Inst. Date
(Automatic Update)  Unknown  
2020-02 Cumulative Update for .NET Framework 3.5 and 4.8 for Windows 10 Version 1903 for x64 (KB4537572)  Update  3/18/2020
2020-02 Security Update for Adobe Flash Player for Windows 10 Version 1903 for x64-based Systems (KB4537759)  Update  3/18/2020
2020-03 Cumulative Update for Windows 10 Version 1903 for x64-based Systems (KB4551762)  Update  3/18/2020
9MTW6RN84LVM-Microsoft.NET.Native.Runtime.1.7  Update  3/18/2020
9MW2LKJ0TPJF-Microsoft.NET.Native.Framework.2.2  Update  3/18/2020
9MZ8BK1XV75W-Microsoft.NET.Native.Runtime.2.1  Update  3/18/2020
9N0H1M8J1308-DTSInc.DTSXUltra  Update  3/18/2020
9N6F0JV38PH1-AppUp.ThunderboltControlCenter  Update  3/18/2020
9NBLGGH3FRZM-Microsoft.VCLibs.140.00  Update  3/18/2020
9PK21VDD7LD9-Microsoft.NET.Native.Framework.2.1  Update  3/18/2020
9PLFNLNT3G5G-AppUp.IntelGraphicsExperience  Update  3/18/2020
9PLL735RFDSM-Microsoft.NET.Native.Runtime.2.2  Update  3/18/2020
Feature update to Windows 10, version 1909  Update  3/18/2020
Feature update to Windows 10, version 1909  Update  3/18/2020
Intel - net - 21.60.2.1  Update  3/18/2020
Security Intelligence Update for Windows Defender Antivirus - KB2267602 (Version 1.311.1426.0)  Update  3/18/2020
Security Intelligence Update for Windows Defender Antivirus - KB2267602 (Version 1.311.1426.0)  Update  3/18/2020
Update for Windows Defender Antivirus antimalware platform - KB4052623 (Version 4.18.2001.10)  Update  3/18/2020
Windows Malicious Software Removal Tool x64 - March 2020 (KB890830)  Update  3/18/2020


Anti-Virus

 
Software Description  Software Version  Virus Database Date  Known Viruses
Windows Defender  4.18.2001.10  3/18/2020  ?


Firewall

 
Software Description  Software Version  Status
Windows Firewall  10.0.18362.1  Enabled


Anti-Spyware

 
Software Description  Software Version
Microsoft Windows Defender  4.18.2001.10


Regional

 
Time Zone:
Current Time Zone  China Standard Time
Current Time Zone Description  (UTC+08:00) Beijing, Chongqing, Hong Kong, Urumqi
Change To Standard Time  
Change To Daylight Saving Time  
 
Language:
Language Name (Native)  English
Language Name (English)  English
Language Name (ISO 639)  en
 
Country/Region:
Country Name (Native)  United States
Country Name (English)  United States
Country Name (ISO 3166)  US
Country Code  1
 
Currency:
Currency Name (Native)  US Dollar
Currency Name (English)  US Dollar
Currency Symbol (Native)  $
Currency Symbol (ISO 4217)  USD
Currency Format  $123,456,789.00
Negative Currency Format  ($123,456,789.00)
 
Formatting:
Time Format  h:mm:ss tt
Short Date Format  M/d/yyyy
Long Date Format  dddd, MMMM d, yyyy
Number Format  123,456,789.00
Negative Number Format  -123,456,789.00
List Format  first, second, third
Native Digits  0123456789
 
Days of Week:
Native Name for Monday  Monday / Mon
Native Name for Tuesday  Tuesday / Tue
Native Name for Wednesday  Wednesday / Wed
Native Name for Thursday  Thursday / Thu
Native Name for Friday  Friday / Fri
Native Name for Saturday  Saturday / Sat
Native Name for Sunday  Sunday / Sun
 
Months:
Native Name for January  January / Jan
Native Name for February  February / Feb
Native Name for March  March / Mar
Native Name for April  April / Apr
Native Name for May  May / May
Native Name for June  June / Jun
Native Name for July  July / Jul
Native Name for August  August / Aug
Native Name for September  September / Sep
Native Name for October  October / Oct
Native Name for November  November / Nov
Native Name for December  December / Dec
 
Miscellaneous:
Calendar Type  Gregorian (localized)
Default Paper Size  US Letter
Measurement System  U.S.
 
Display Languages:
LCID 0409h (Active)  English (United States)
LCID 0804h  Chinese (Simplified, China)


Environment

 
Variable  Value
__COMPAT_LAYER  DetectorsMessageBoxErrors DetectorsWin7 Installer
ALLUSERSPROFILE  C:\ProgramData
APPDATA  C:\Users\redblue\AppData\Roaming
CommonProgramFiles(x86)  C:\Program Files (x86)\Common Files
CommonProgramFiles  C:\Program Files (x86)\Common Files
CommonProgramW6432  C:\Program Files\Common Files
COMPUTERNAME  DESKTOP-UT5JEJD
ComSpec  C:\Windows\system32\cmd.exe
configsetroot  C:\Windows\ConfigSetRoot
DriverData  C:\Windows\System32\Drivers\DriverData
FPS_BROWSER_APP_PROFILE_STRING  Internet Explorer
FPS_BROWSER_USER_PROFILE_STRING  Default
HOMEDRIVE  C:
HOMEPATH  \Users\redblue
LOCALAPPDATA  C:\Users\redblue\AppData\Local
LOGONSERVER  \\DESKTOP-UT5JEJD
NUMBER_OF_PROCESSORS  8
OneDrive  C:\Users\redblue\OneDrive
OS  Windows_NT
Path  C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\redblue\AppData\Local\Microsoft\WindowsApps
PATHEXT  .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
PROCESSOR_ARCHITECTURE  x86
PROCESSOR_ARCHITEW6432  AMD64
PROCESSOR_IDENTIFIER  Intel64 Family 6 Model 126 Stepping 5, GenuineIntel
PROCESSOR_LEVEL  6
PROCESSOR_REVISION  7e05
ProgramData  C:\ProgramData
ProgramFiles(x86)  C:\Program Files (x86)
ProgramFiles  C:\Program Files (x86)
ProgramW6432  C:\Program Files
PSModulePath  C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules
PUBLIC  C:\Users\Public
SystemDrive  C:
SystemRoot  C:\Windows
TEMP  C:\Users\redblue\AppData\Local\Temp
TMP  C:\Users\redblue\AppData\Local\Temp
USERDOMAIN_ROAMINGPROFILE  DESKTOP-UT5JEJD
USERDOMAIN  DESKTOP-UT5JEJD
USERNAME  redblue
USERPROFILE  C:\Users\redblue
windir  C:\Windows


Control Panel

 
Name  Comment
Flash Player  Manage Flash Player Settings


Recycle Bin

 
Drive  Items Size  Items Count  Space %  Recycle Bin
C:  0  0  ?  ?
D:  0  0  ?  ?


System Files

 
[ system.ini ]
 
; for 16-bit app support
[386Enh]
woafont=dosapp.fon
EGA80WOA.FON=EGA80WOA.FON
EGA40WOA.FON=EGA40WOA.FON
CGA80WOA.FON=CGA80WOA.FON
CGA40WOA.FON=CGA40WOA.FON
[drivers]
wave=mmdrv.dll
timer=timer.drv
[mci]
 
[ win.ini ]
 
; for 16-bit app support
[fonts]
[extensions]
[mci extensions]
[files]
[Mail]
MAPI=1
[annie]
CaptureFile=
VideoDevice2=@device:pnp:\\?\usb#vid_0bda&pid_5641&mi_00#6&2651c099&0&0000#{65e8773d-8f56-11d0-a3b9-00a0c9223196}\global
AudioDevice2=
FrameRate=667111
UseFrameRate=1
CaptureAudio=0
CaptureCC=0
WantPreview=1
MasterStream=1
UseTimeLimit=0
TimeLimit=0
 
[ hosts ]
 
 
[ lmhosts.sam ]
 


System Folders

 
System Folder  Path
Administrative Tools  C:\Users\redblue\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools
AppData  C:\Users\redblue\AppData\Roaming
Cache  C:\Users\redblue\AppData\Local\Microsoft\Windows\INetCache
CD Burning  C:\Users\redblue\AppData\Local\Microsoft\Windows\Burn\Burn
Common Administrative Tools  C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools
Common AppData  C:\ProgramData
Common Desktop  C:\Users\Public\Desktop
Common Documents  C:\Users\Public\Documents
Common Favorites  C:\Users\redblue\Favorites
Common Files (x86)  C:\Program Files (x86)\Common Files
Common Files  C:\Program Files (x86)\Common Files
Common Music  C:\Users\Public\Music
Common Pictures  C:\Users\Public\Pictures
Common Programs  C:\ProgramData\Microsoft\Windows\Start Menu\Programs
Common Start Menu  C:\ProgramData\Microsoft\Windows\Start Menu
Common Startup  C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
Common Templates  C:\ProgramData\Microsoft\Windows\Templates
Common Video  C:\Users\Public\Videos
Cookies  C:\Users\redblue\AppData\Local\Microsoft\Windows\INetCookies
Desktop  C:\Users\redblue\Desktop
Device  C:\Windows\inf
Favorites  C:\Users\redblue\Favorites
Fonts  C:\Windows\Fonts
History  C:\Users\redblue\AppData\Local\Microsoft\Windows\History
Local AppData  C:\Users\redblue\AppData\Local
My Documents  C:\Users\redblue\Documents
My Music  C:\Users\redblue\Music
My Pictures  C:\Users\redblue\Pictures
My Video  C:\Users\redblue\Videos
NetHood  C:\Users\redblue\AppData\Roaming\Microsoft\Windows\Network Shortcuts
PrintHood  C:\Users\redblue\AppData\Roaming\Microsoft\Windows\Printer Shortcuts
Profile  C:\Users\redblue
Program Files (x86)  C:\Program Files (x86)
Program Files  C:\Program Files (x86)
Programs  C:\Users\redblue\AppData\Roaming\Microsoft\Windows\Start Menu\Programs
Recent  C:\Users\redblue\AppData\Roaming\Microsoft\Windows\Recent
Resources  C:\Windows\resources
SendTo  C:\Users\redblue\AppData\Roaming\Microsoft\Windows\SendTo
Start Menu  C:\Users\redblue\AppData\Roaming\Microsoft\Windows\Start Menu
Startup  C:\Users\redblue\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
System (x86)  C:\Windows\SysWOW64
System  C:\Windows\system32
Temp  C:\Users\redblue\AppData\Local\Temp\
Templates  C:\Users\redblue\AppData\Roaming\Microsoft\Windows\Templates
Windows  C:\Windows


Event Logs

 
Log Name  Event Type  Category  Generated On  User  Source  Description
Application  Error  None  2020-03-18 10:09:59    VSS  13: Volume Shadow Copy Service information: The COM Server with CLSID {4e14fba2-2e22-11d1-9964-00c04fbbb345} and name CEventSystem cannot be started. [0x8007045b, A system shutdown is in progress. ] ?
Application  Error  None  2020-03-18 10:09:59  LOCAL SERVICE  DPTF  17: ESIF(8.6.10401.9906) TYPE: ERROR MODULE: ACTION FUNC: EsifActWriteLogHandler FILE: esif_uf_action.c LINE: 789 TIME: 14856 ms UPE_WIFI:[WifiDev_SvcNotifyCb@wifi_dev.c#599]<14856 ms>: Error: dwNotificationStatus = 1115
Application  Error  None  2020-03-18 10:09:59  LOCAL SERVICE  DPTF  17: ESIF(8.6.10401.9906) TYPE: ERROR MODULE: ACTION FUNC: EsifActWriteLogHandler FILE: esif_uf_action.c LINE: 789 TIME: 15004 ms UPE_WIFI:[WifiDev_SvcNotifyCb@wifi_dev.c#599]<15004 ms>: Error: dwNotificationStatus = 1115
Application  Error  None  2020-03-18 10:15:51  LOCAL SERVICE  DPTF  17: ESIF(8.6.10401.9906) TYPE: ERROR MODULE: ACTION FUNC: EsifActWriteLogHandler FILE: esif_uf_action.c LINE: 789 TIME: 378833 ms UPE_WIFI:[WifiDev_SvcNotifyCb@wifi_dev.c#599]<378833 ms>: Error: dwNotificationStatus = 1115
Application  Error  None  2020-03-18 10:15:52  LOCAL SERVICE  DPTF  17: ESIF(8.6.10401.9906) TYPE: ERROR MODULE: ACTION FUNC: EsifActWriteLogHandler FILE: esif_uf_action.c LINE: 789 TIME: 379637 ms UPE_WIFI:[WifiDev_SvcNotifyCb@wifi_dev.c#599]<379637 ms>: Error: dwNotificationStatus = 1115
Application  Warning  3  2020-03-18 10:17:03    Windows Search Service  3086: The system locale has changed. Existing data will be deleted and the index must be recreated. Context: Application, SystemIndex Catalog
Application  Error  None  2020-03-18 10:18:53  LOCAL SERVICE  DPTF  17: ESIF(8.6.10401.9906) TYPE: ERROR MODULE: ACTION FUNC: EsifActWriteLogHandler FILE: esif_uf_action.c LINE: 789 TIME: 171374 ms UPE_WIFI:[WifiDev_SvcNotifyCb@wifi_dev.c#599]<171374 ms>: Error: dwNotificationStatus = 1115
Application  Warning  3  2020-03-18 10:20:32    Windows Search Service  3086: The system locale has changed. Existing data will be deleted and the index must be recreated. Context: Application, SystemIndex Catalog
Application  Error  1  2020-03-18 10:24:22    ESENT  522: StartMenuExperienceHost (5764,P,98) TILEREPOSITORYS-1-5-21-4230960370-218822903-690480705-1002: An attempt to open the device with name "\\.\C:" containing "C:\" failed with system error 5 (0x00000005): "Access is denied. ". The operation will fail with error -1032 (0xfffffbf8).
Application  Error  3  2020-03-18 10:24:22    ESENT  455: StartMenuExperienceHost (5764,R,98) TILEREPOSITORYS-1-5-21-4230960370-218822903-690480705-1002: Error -1023 (0xfffffc01) occurred while opening logfile C:\Users\redblue\AppData\Local\TileDataLayer\Database\EDB.log.
Application  Error  None  2020-03-18 10:35:44    COM  10031: An unmarshaling policy check was performed when unmarshaling a custom marshaled object and the class {F6C29334-47DC-4397-9150-F549CF1D4861} was rejected
Application  Error  None  2020-03-18 10:37:30    Microsoft Office 16  2011: Office Subscription licensing exception: Error Code: 0x305; CorrelationId: {A55672FD-87FF-4F06-BCBB-A3CE5816A1B8}
Application  Error  None  2020-03-18 10:38:41  SYSTEM  CertEnroll  87: SCEP Certificate enrollment for WORKGROUP\DESKTOP-UT5JEJD$ via https://INTC-KeyId-e7083f22152a7492ec59b0c4243437648b15dbb7.microsoftaik.azure.net/templates/Aik/scep failed: PkiStatus(11): SCEPDispositionPendingChallenge EnrollStatus(32): EnrollUnknown The operation completed successfully. 0x0 (WIN32: 0) SubmitDone Submit(Request): OK HTTP/1.1 200 OK Cache-Control: no-cache Date: Wed, 18 Mar 2020 02:37:31 GMT Pragma: no-cache Content-Length: 9325 Content-Type: application/x-pki-message Expires: -1 x-ms-request-id: 2898193f-d686-4a2b-9cea-291e9b66813a Strict-Transport-Security: max-age=31536000;includeSubDomains X-Content-Type-Options: nosniff Method: POST(95406ms) Stage: SubmitDone The operation timed out 0x80072ee2 (WinHttp: 12002 ERROR_WINHTTP_TIMEOUT)
Application  Error  None  2020-03-18 10:44:57  SYSTEM  Microsoft-Windows-Perflib  1020: The required buffer size is greater than the buffer size passed to the Collect function of the "C:\Windows\System32\perfts.dll" Extensible Counter DLL for the "LSM" service. The given buffer size was 20768 and the required size was 35064.
Application  Warning  None  2020-03-18 10:48:05  SYSTEM  Microsoft-Windows-RestartManager  10010: Application 'C:\Program Files (x86)\LG Software\LG Control Center\LGControlCenterRTManager.exe' (pid 9044) cannot be restarted - 1.
Application  Warning  None  2020-03-18 10:48:05  SYSTEM  Microsoft-Windows-RestartManager  10010: Application 'C:\Program Files\WindowsApps\22094SynapticsIncorporate.SmartAudio2_1.1.51.0_x86__qt57b6kdvhcfw\SAII\SmartAudio.exe' (pid 8952) cannot be restarted - 1.
Application  Warning  None  2020-03-18 10:48:05  SYSTEM  Microsoft-Windows-RestartManager  10010: Application 'C:\Program Files (x86)\LG Software\LG Update Center\LGUpdateCenter.exe' (pid 6352) cannot be restarted - 1.
Application  Warning  None  2020-03-18 10:48:05  SYSTEM  Microsoft-Windows-RestartManager  10010: Application 'C:\Program Files (x86)\LG Software\LG Update Center\LG Update Center.exe' (pid 11304) cannot be restarted - 1.
Application  Error  None  2020-03-18 10:58:59    SideBySide  33: Activation context generation failed for "C:\Users\redblue\AppData\Roaming\Tencent\TIM\STemp\TXQQ2052~0\SysDir\Check\atl2_c.dll". Dependent Assembly Microsoft.VC80.ATL,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50727.4053" could not be found. Please use sxstrace.exe for detailed diagnosis.
Application  Error  None  2020-03-18 11:05:14    VSS  13: Volume Shadow Copy Service information: The COM Server with CLSID {4e14fba2-2e22-11d1-9964-00c04fbbb345} and name CEventSystem cannot be started. [0x8007045b, A system shutdown is in progress. ] ?
Application  Error  None  2020-03-18 11:05:14  LOCAL SERVICE  DPTF  17: ESIF(8.6.10401.9906) TYPE: ERROR MODULE: ACTION FUNC: EsifActWriteLogHandler FILE: esif_uf_action.c LINE: 789 TIME: 2769613 ms UPE_WIFI:[WifiDev_SvcNotifyCb@wifi_dev.c#599]<2769613 ms>: Error: dwNotificationStatus = 1115
Application  Error  None  2020-03-18 11:05:15  LOCAL SERVICE  DPTF  17: ESIF(8.6.10401.9906) TYPE: ERROR MODULE: ACTION FUNC: EsifActWriteLogHandler FILE: esif_uf_action.c LINE: 789 TIME: 2770520 ms UPE_WIFI:[WifiDev_SvcNotifyCb@wifi_dev.c#599]<2770520 ms>: Error: dwNotificationStatus = 1115
Application  Error  None  2020-03-18 11:06:21  SYSTEM  CertEnroll  86: SCEP Certificate enrollment initialization for WORKGROUP\DESKTOP-UT5JEJD$ via https://INTC-KeyId-e7083f22152a7492ec59b0c4243437648b15dbb7.microsoftaik.azure.net/templates/Aik/scep failed: GetCACaps Method: GET(32ms) Stage: GetCACaps The server name or address could not be resolved 0x80072ee7 (WinHttp: 12007 ERROR_WINHTTP_NAME_NOT_RESOLVED)
Application  Error  None  2020-03-18 11:06:22  SYSTEM  CertEnroll  86: SCEP Certificate enrollment initialization for WORKGROUP\DESKTOP-UT5JEJD$ via https://INTC-KeyId-e7083f22152a7492ec59b0c4243437648b15dbb7.microsoftaik.azure.net/templates/Aik/scep failed: GetCACaps Method: GET(16ms) Stage: GetCACaps The server name or address could not be resolved 0x80072ee7 (WinHttp: 12007 ERROR_WINHTTP_NAME_NOT_RESOLVED)
Application  Error  None  2020-03-18 11:10:56    VSS  13: Volume Shadow Copy Service information: The COM Server with CLSID {4e14fba2-2e22-11d1-9964-00c04fbbb345} and name CEventSystem cannot be started. [0x8007045b, A system shutdown is in progress. ] ?
Application  Error  None  2020-03-18 11:10:56    VSS  8193: Volume Shadow Copy Service error: Unexpected error calling routine CoCreateInstance. hr = 0x8007045b, A system shutdown is in progress. . ?
Application  Error  None  2020-03-18 11:10:56    VSS  13: Volume Shadow Copy Service information: The COM Server with CLSID {4e14fba2-2e22-11d1-9964-00c04fbbb345} and name CEventSystem cannot be started. [0x8007045b, A system shutdown is in progress. ] ?
Application  Error  None  2020-03-18 11:10:56    VSS  8193: Volume Shadow Copy Service error: Unexpected error calling routine CoCreateInstance. hr = 0x8007045b, A system shutdown is in progress. . ?
Application  Error  None  2020-03-18 11:10:56  LOCAL SERVICE  DPTF  17: ESIF(8.6.10401.9906) TYPE: ERROR MODULE: ACTION FUNC: EsifActWriteLogHandler FILE: esif_uf_action.c LINE: 789 TIME: 332387 ms UPE_WIFI:[WifiDev_SvcNotifyCb@wifi_dev.c#599]<332387 ms>: Error: dwNotificationStatus = 1115
Application  Error  None  2020-03-18 11:10:57  LOCAL SERVICE  DPTF  17: ESIF(8.6.10401.9906) TYPE: ERROR MODULE: ACTION FUNC: EsifActWriteLogHandler FILE: esif_uf_action.c LINE: 789 TIME: 333054 ms UPE_WIFI:[WifiDev_SvcNotifyCb@wifi_dev.c#599]<333054 ms>: Error: dwNotificationStatus = 1115
Application  Error  None  2020-03-18 11:30:55    SideBySide  33: Activation context generation failed for "C:\Users\redblue\Downloads\PAGreen\PA_Green\MFC80U.DLL". Dependent Assembly Microsoft.VC80.MFCLOC,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0" could not be found. Please use sxstrace.exe for detailed diagnosis.
Application  Error  None  2020-03-18 11:30:56    SideBySide  33: Activation context generation failed for "C:\Users\redblue\Downloads\PAGreen\PA_Green\MFC80U.DLL". Dependent Assembly Microsoft.VC80.MFCLOC,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0" could not be found. Please use sxstrace.exe for detailed diagnosis.
Application  Error  None  2020-03-18 11:38:01    VSS  13: Volume Shadow Copy Service information: The COM Server with CLSID {4e14fba2-2e22-11d1-9964-00c04fbbb345} and name CEventSystem cannot be started. [0x8007045b, A system shutdown is in progress. ] ?
Application  Error  None  2020-03-18 11:38:01    VSS  8193: Volume Shadow Copy Service error: Unexpected error calling routine CoCreateInstance. hr = 0x8007045b, A system shutdown is in progress. . ?
Application  Error  None  2020-03-18 11:38:01  LOCAL SERVICE  DPTF  17: ESIF(8.6.10401.9906) TYPE: ERROR MODULE: ACTION FUNC: EsifActWriteLogHandler FILE: esif_uf_action.c LINE: 789 TIME: 1499163 ms UPE_WIFI:[WifiDev_SvcNotifyCb@wifi_dev.c#599]<1499163 ms>: Error: dwNotificationStatus = 1115
Application  Error  None  2020-03-18 11:38:02  LOCAL SERVICE  DPTF  17: ESIF(8.6.10401.9906) TYPE: ERROR MODULE: ACTION FUNC: EsifActWriteLogHandler FILE: esif_uf_action.c LINE: 789 TIME: 1499972 ms UPE_WIFI:[WifiDev_SvcNotifyCb@wifi_dev.c#599]<1499972 ms>: Error: dwNotificationStatus = 1115
Application  Error  None  2020-03-18 11:56:29  LOCAL SERVICE  DPTF  17: ESIF(8.6.10401.9906) TYPE: ERROR MODULE: ACTION FUNC: EsifActWriteLogHandler FILE: esif_uf_action.c LINE: 789 TIME: 1096367 ms UPE_WIFI:[WifiDev_SvcNotifyCb@wifi_dev.c#599]<1096367 ms>: Error: dwNotificationStatus = 1115
Application  Error  None  2020-03-18 11:57:36  LOCAL SERVICE  DPTF  17: ESIF(8.6.10401.9906) TYPE: ERROR MODULE: ACTION FUNC: EsifActWriteLogHandler FILE: esif_uf_action.c LINE: 789 TIME: 55076 ms UPE_WIFI:[WifiDev_SvcNotifyCb@wifi_dev.c#599]<55076 ms>: Error: dwNotificationStatus = 1115
Application  Warning  None  2020-03-18 11:57:36    Wlclntfy  6004: The winlogon notification subscriber <TrustedInstaller> failed a critical notification event.
Application  Error  None  2020-03-18 13:10:37    Service1  0: Failed in handling the PowerEvent. The error that occurred was: System.NullReferenceException: Object reference not set to an instance of an object. at DeviceManager.Service1.OnPowerEvent(PowerBroadcastStatus powerStatus) at System.ServiceProcess.ServiceBase.DeferredPowerEvent(Int32 eventType, IntPtr eventData).
Security  Audit Success  13312  2020-03-16 16:38:42    Microsoft-Windows-Security-Auditing  4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x78 New Process Name: ????-??6?4????0--?0??????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x4 Creator Process Name: ??????? Process Command Line: ????0--?0??????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
Security  Audit Success  13312  2020-03-16 16:38:42    Microsoft-Windows-Security-Auditing  4696: A primary token was assigned to process. Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Process Information: Process ID: 0x4 Process Name: ? Target Process: Target Process ID: 0x78 Target Process Name: Registry New Token Information: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x3e7
Security  Audit Success  13312  2020-03-16 16:38:42    Microsoft-Windows-Security-Auditing  4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x19c New Process Name: ??????????????-??6?4????0--?0??????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x4 Creator Process Name: ??????? Process Command Line: ????0--?0??????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
Security  Audit Success  13312  2020-03-16 16:38:42    Microsoft-Windows-Security-Auditing  4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1b4 New Process Name: ???????????????e??? ????????? ???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x19c Creator Process Name: ????????????????????4 Process Command Line: ????0--?0????????????????????4 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
Security  Audit Success  13573  2020-03-16 16:38:42    Microsoft-Windows-Security-Auditing  4826: Boot Configuration Data loaded. Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 General Settings: Load Options: - Advanced Options: %%1843 Configuration Access Policy: %%1846 System Event Logging: %%1843 Kernel Debugging: %%1843 VSM Launch Type: %%1848 Signature Settings: Test Signing: %%1843 Flight Signing: %%1843 Disable Integrity Checks: %%1843 HyperVisor Settings: HyperVisor Load Options: - HyperVisor Launch Type: %%1848 HyperVisor Debugging: %%1843
Security  Audit Success  13312  2020-03-16 16:38:44    Microsoft-Windows-Security-Auditing  4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x20c New Process Name: ??????????????-??6??c????0--?0????????????????????4? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x19c Creator Process Name: ????????????????????4? Process Command Line: ????0--?0????????????????????4? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
Security  Audit Success  13312  2020-03-16 16:38:52    Microsoft-Windows-Security-Auditing  4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x278 New Process Name: ??????????????e??? ????????? ???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x20c Creator Process Name: ????????????????????4 Process Command Line: ????0--?0????????????????????4 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
Security  Audit Success  12288  2020-03-16 16:38:53    Microsoft-Windows-Security-Auditing  4608: Windows is starting up. This event is logged when LSASS.EXE starts and the auditing subsystem is initialized.
Security  Audit Success  12292  2020-03-16 16:38:53    Microsoft-Windows-Security-Auditing  5033: The Windows Firewall Driver started successfully.
Security  Audit Success  12544  2020-03-16 16:38:53    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 0 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: - New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4 Process Name: ? Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: - Authentication Package: - Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-16 16:38:53    Microsoft-Windows-Security-Auditing  4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: UMFD-0 Account Domain: Font Driver Host Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x2d0 Process Name: C:\Windows\System32\wininit.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
Security  Audit Success  12544  2020-03-16 16:38:53    Microsoft-Windows-Security-Auditing  4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: UMFD-1 Account Domain: Font Driver Host Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x334 Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
Security  Audit Success  12544  2020-03-16 16:38:53    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1842 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-96-0-0 Account Name: UMFD-0 Account Domain: Font Driver Host Logon ID: 0x10c94 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2d0 Process Name: C:\Windows\System32\wininit.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-16 16:38:53    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1842 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-96-0-1 Account Name: UMFD-1 Account Domain: Font Driver Host Logon ID: 0x10cb9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x334 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-16 16:38:53    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x318 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-16 16:38:53    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x318 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-16 16:38:53    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x318 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-16 16:38:53    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x318 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-16 16:38:53    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x318 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-16 16:38:53    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x318 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-16 16:38:53    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x318 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-16 16:38:53    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x318 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-16 16:38:53    Microsoft-Windows-Security-Auditing  4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DWM-1 Account Domain: Window Manager Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x334 Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
Security  Audit Success  12544  2020-03-16 16:38:53    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1842 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x1b49a Linked Logon ID: 0x1b4bc Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x334 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-16 16:38:53    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1842 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x1b4bc Linked Logon ID: 0x1b49a Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x334 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-16 16:38:53    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x318 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-16 16:38:53    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x318 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-16 16:38:53    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-16 16:38:53    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-16 16:38:53    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
Security  Audit Success  12548  2020-03-16 16:38:53    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e4 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
Security  Audit Success  12548  2020-03-16 16:38:53    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-16 16:38:53    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-16 16:38:53    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-16 16:38:53    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-16 16:38:53    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x1b49a Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
Security  Audit Success  12548  2020-03-16 16:38:53    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x1b4bc Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege
Security  Audit Success  12548  2020-03-16 16:38:53    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-16 16:38:53    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  13312  2020-03-16 16:38:53    Microsoft-Windows-Security-Auditing  4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2c8 New Process Name: ??????????????-??6??c????0--?0????????????????????4? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x19c Creator Process Name: ????????????????????4? Process Command Line: ????0--?0????????????????????4? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
Security  Audit Success  13312  2020-03-16 16:38:53    Microsoft-Windows-Security-Auditing  4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2d0 New Process Name: ???????????????e??? ????????? ???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x20c Creator Process Name: ????????????????????4 Process Command Line: ????0--?0????????????????????4 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
Security  Audit Success  13312  2020-03-16 16:38:53    Microsoft-Windows-Security-Auditing  4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2d8 New Process Name: ??????????????e??? ????????? ???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x2c8 Creator Process Name: ????????????????????4 Process Command Line: ????0--?0????????????????????4 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
Security  Audit Success  13312  2020-03-16 16:38:53    Microsoft-Windows-Security-Auditing  4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x318 New Process Name: ????????????????-??6??0????0--?0???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x2d0 Creator Process Name: ???????????????e?????? Process Command Line: ????0--?0???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
Security  Audit Success  13312  2020-03-16 16:38:53    Microsoft-Windows-Security-Auditing  4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x334 New Process Name: ????????????????-??6??8????0--?0????????????????????4? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x2c8 Creator Process Name: ????????????????????4? Process Command Line: ????0--?0????????????????????4? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
Security  Audit Success  13312  2020-03-16 16:38:53    Microsoft-Windows-Security-Auditing  4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x358 New Process Name: ??????????????e??? ????????? ???????????????????????4? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x2d0 Creator Process Name: ???????????????e?????? Process Command Line: ????0--?0???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
Security  Audit Success  13568  2020-03-16 16:38:53    Microsoft-Windows-Security-Auditing  4902: The Per-user audit policy table was created. Number of Elements: 0 Policy ID: 0x10b0e
Security  Audit Success  13826  2020-03-16 16:38:53    Microsoft-Windows-Security-Auditing  4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x6f8 Process Name: C:\Windows\System32\svchost.exe
Security  Audit Success  12292  2020-03-16 16:38:54    Microsoft-Windows-Security-Auditing  5024: The Windows Firewall service started successfully.
Security  Audit Success  12544  2020-03-16 16:38:57    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x318 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-16 16:38:57    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x318 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-16 16:38:57    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-16 16:38:57    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12544  2020-03-16 16:38:58    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x318 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-16 16:38:58    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x318 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-16 16:38:58    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-16 16:38:58    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12544  2020-03-16 16:38:59    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x318 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-16 16:38:59    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x318 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-16 16:38:59    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x318 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-16 16:38:59    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x318 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-16 16:38:59    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x318 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-16 16:38:59    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x318 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-16 16:38:59    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x318 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-16 16:38:59    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x318 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-16 16:38:59    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x318 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-16 16:38:59    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x318 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-16 16:38:59    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x318 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-16 16:38:59    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x318 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-16 16:38:59    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x318 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-16 16:38:59    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x318 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-16 16:38:59    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x318 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-16 16:38:59    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x318 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-16 16:38:59    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x318 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-16 16:38:59    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x318 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-16 16:38:59    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x318 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-16 16:38:59    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x318 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-16 16:38:59    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x318 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-16 16:38:59    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-16 16:38:59    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-16 16:38:59    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-16 16:38:59    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-16 16:38:59    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-16 16:38:59    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-16 16:38:59    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-16 16:38:59    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-16 16:38:59    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-16 16:38:59    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-16 16:38:59    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-16 16:38:59    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-16 16:38:59    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-16 16:38:59    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-16 16:38:59    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-16 16:38:59    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-16 16:38:59    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-16 16:38:59    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-16 16:38:59    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-16 16:38:59    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-16 16:38:59    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  13824  2020-03-16 16:38:59    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-16 16:38:59    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-16 16:38:59    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13826  2020-03-16 16:38:59    Microsoft-Windows-Security-Auditing  4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-20 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e4 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x10ec Process Name: C:\Windows\System32\svchost.exe
Security  Audit Success  12544  2020-03-16 16:39:00    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x318 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-16 16:39:00    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x318 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-16 16:39:00    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x318 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-16 16:39:00    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-16 16:39:00    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-16 16:39:00    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  13568  2020-03-16 16:39:00    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Temp\winre\ExtractedFromWim Handle ID: 0x7a0 Process Information: Process ID: 0x984 Process Name: C:\Windows\System32\oobe\msoobe.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13826  2020-03-16 16:39:00    Microsoft-Windows-Security-Auditing  4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0xeb8 Process Name: C:\Windows\System32\svchost.exe
Security  Audit Success  13826  2020-03-16 16:39:00    Microsoft-Windows-Security-Auditing  4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x1808 Process Name: C:\Windows\System32\SearchIndexer.exe
Security  Audit Success  12544  2020-03-16 16:39:01    Microsoft-Windows-Security-Auditing  4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: defaultuser0 Account Domain: DESKTOP-ABPHKLO Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x984 Process Name: C:\Windows\System32\oobe\msoobe.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
Security  Audit Success  12544  2020-03-16 16:39:01    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-4230960370-218822903-690480705-1000 Account Name: defaultuser0 Account Domain: DESKTOP-ABPHKLO Logon ID: 0x5fd00 Linked Logon ID: 0x5fd64 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x984 Process Name: C:\Windows\System32\oobe\msoobe.exe Network Information: Workstation Name: WIN-T5SAB95QOPJ Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-16 16:39:01    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-4230960370-218822903-690480705-1000 Account Name: defaultuser0 Account Domain: DESKTOP-ABPHKLO Logon ID: 0x5fd64 Linked Logon ID: 0x5fd00 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x984 Process Name: C:\Windows\System32\oobe\msoobe.exe Network Information: Workstation Name: WIN-T5SAB95QOPJ Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-16 16:39:01    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1000 Account Name: defaultuser0 Account Domain: DESKTOP-ABPHKLO Logon ID: 0x5fd00 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  13824  2020-03-16 16:39:01    Microsoft-Windows-Security-Auditing  4720: A user account was created. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 New Account: Security ID: S-1-5-21-4230960370-218822903-690480705-1000 Account Name: defaultuser0 Account Domain: DESKTOP-ABPHKLO Attributes: SAM Account Name: defaultuser0 Display Name: %%1793 User Principal Name: - Home Directory: %%1793 Home Drive: %%1793 Script Path: %%1793 Profile Path: %%1793 User Workstations: %%1793 Password Last Set: %%1794 Account Expires: %%1794 Primary Group ID: 513 Allowed To Delegate To: - Old UAC Value: 0x0 New UAC Value: 0x15 User Account Control: %%2080 %%2082 %%2084 User Parameters: %%1793 SID History: - Logon Hours: %%1797 Additional Information: Privileges -
Security  Audit Success  13824  2020-03-16 16:39:01    Microsoft-Windows-Security-Auditing  4722: A user account was enabled. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-4230960370-218822903-690480705-1000 Account Name: defaultuser0 Account Domain: DESKTOP-ABPHKLO
Security  Audit Success  13824  2020-03-16 16:39:01    Microsoft-Windows-Security-Auditing  4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-4230960370-218822903-690480705-1000 Account Name: defaultuser0 Account Domain: DESKTOP-ABPHKLO Changed Attributes: SAM Account Name: defaultuser0 Display Name: %%1793 User Principal Name: - Home Directory: %%1793 Home Drive: %%1793 Script Path: %%1793 Profile Path: %%1793 User Workstations: %%1793 Password Last Set: %%1794 Account Expires: %%1794 Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x15 New UAC Value: 0x14 User Account Control: %%2048 User Parameters: %%1793 SID History: - Logon Hours: %%1797 Additional Information: Privileges: -
Security  Audit Success  13824  2020-03-16 16:39:01    Microsoft-Windows-Security-Auditing  4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-4230960370-218822903-690480705-1000 Account Name: defaultuser0 Account Domain: DESKTOP-ABPHKLO Changed Attributes: SAM Account Name: defaultuser0 Display Name: %%1793 User Principal Name: - Home Directory: %%1793 Home Drive: %%1793 Script Path: %%1793 Profile Path: %%1793 User Workstations: %%1793 Password Last Set: 3/16/2020 1:39:01 AM Account Expires: %%1794 Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x14 New UAC Value: 0x14 User Account Control: - User Parameters: - SID History: - Logon Hours: %%1797 Additional Information: Privileges: -
Security  Audit Success  13824  2020-03-16 16:39:01    Microsoft-Windows-Security-Auditing  4724: An attempt was made to reset an account's password. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-4230960370-218822903-690480705-1000 Account Name: defaultuser0 Account Domain: DESKTOP-ABPHKLO
Security  Audit Success  13824  2020-03-16 16:39:01    Microsoft-Windows-Security-Auditing  4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-4230960370-218822903-690480705-1000 Account Name: defaultuser0 Account Domain: DESKTOP-ABPHKLO Changed Attributes: SAM Account Name: defaultuser0 Display Name: %%1793 User Principal Name: - Home Directory: %%1793 Home Drive: %%1793 Script Path: %%1793 Profile Path: %%1793 User Workstations: %%1793 Password Last Set: 3/16/2020 1:39:01 AM Account Expires: %%1794 Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x14 New UAC Value: 0x214 User Account Control: %%2089 User Parameters: - SID History: - Logon Hours: %%1797 Additional Information: Privileges: -
Security  Audit Success  13824  2020-03-16 16:39:01    Microsoft-Windows-Security-Auditing  4724: An attempt was made to reset an account's password. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-4230960370-218822903-690480705-1000 Account Name: defaultuser0 Account Domain: DESKTOP-ABPHKLO
Security  Audit Success  13826  2020-03-16 16:39:01    Microsoft-Windows-Security-Auditing  4728: A member was added to a security-enabled global group. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Member: Security ID: S-1-5-21-4230960370-218822903-690480705-1000 Account Name: - Group: Security ID: S-1-5-21-4230960370-218822903-690480705-513 Group Name: None Group Domain: DESKTOP-ABPHKLO Additional Information: Privileges: - Expiration time: (null)
Security  Audit Success  13826  2020-03-16 16:39:01    Microsoft-Windows-Security-Auditing  4732: A member was added to a security-enabled local group. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Member: Security ID: S-1-5-21-4230960370-218822903-690480705-1000 Account Name: - Group: Security ID: S-1-5-32-545 Group Name: Users Group Domain: Builtin Additional Information: Privileges: - Expiration time: (null)
Security  Audit Success  13826  2020-03-16 16:39:01    Microsoft-Windows-Security-Auditing  4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x984 Process Name: C:\Windows\System32\oobe\msoobe.exe
Security  Audit Success  13826  2020-03-16 16:39:01    Microsoft-Windows-Security-Auditing  4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x984 Process Name: C:\Windows\System32\oobe\msoobe.exe
Security  Audit Success  13826  2020-03-16 16:39:01    Microsoft-Windows-Security-Auditing  4732: A member was added to a security-enabled local group. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Member: Security ID: S-1-5-21-4230960370-218822903-690480705-1000 Account Name: - Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Additional Information: Privileges: - Expiration time: (null)
Security  Audit Success  13826  2020-03-16 16:39:01    Microsoft-Windows-Security-Auditing  4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x984 Process Name: C:\Windows\System32\oobe\msoobe.exe
Security  Audit Success  13826  2020-03-16 16:39:01    Microsoft-Windows-Security-Auditing  4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x984 Process Name: C:\Windows\System32\oobe\msoobe.exe
Security  Audit Success  13826  2020-03-16 16:39:01    Microsoft-Windows-Security-Auditing  4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0xeb8 Process Name: C:\Windows\System32\svchost.exe
Security  Audit Success  12544  2020-03-16 16:39:02    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x318 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-16 16:39:02    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x318 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-16 16:39:02    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-16 16:39:02    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  13824  2020-03-16 16:39:02    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-16 16:39:02    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-16 16:39:02    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-16 16:39:03    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-16 16:39:03    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-16 16:39:03    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-16 16:39:03    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-16 16:39:03    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-16 16:39:03    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-16 16:39:03    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-20 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e4 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-16 16:39:03    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-20 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e4 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-16 16:39:03    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-20 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e4 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-16 16:39:03    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-16 16:39:03    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-16 16:39:03    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-16 16:39:03    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-16 16:39:03    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-16 16:39:03    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-16 16:39:03    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-16 16:39:03    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-16 16:39:03    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  12544  2020-03-16 16:39:09    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x318 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-16 16:39:09    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x318 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-16 16:39:09    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x318 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-16 16:39:09    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-16 16:39:09    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-16 16:39:09    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  13568  2020-03-16 16:39:09    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\_0000000000000000.cdf-ms Handle ID: 0x3ec Process Information: Process ID: 0x1798 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.471_none_5f12f35059003107\TiWorker.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-16 16:39:09    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\programdata.cdf-ms Handle ID: 0x3ac Process Information: Process ID: 0x1798 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.471_none_5f12f35059003107\TiWorker.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-16 16:39:09    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\programdata_microsoft_fe5c6d762edd2110.cdf-ms Handle ID: 0x3c0 Process Information: Process ID: 0x1798 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.471_none_5f12f35059003107\TiWorker.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-16 16:39:09    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\programdata_microsoft_windows_defender_8c225bc560faa67e.cdf-ms Handle ID: 0x38c Process Information: Process ID: 0x1798 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.471_none_5f12f35059003107\TiWorker.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-16 16:39:09    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\programdata_microsoft_windows_defender_definition_updates_d3c2d4757cf0b9a3.cdf-ms Handle ID: 0x410 Process Information: Process ID: 0x1798 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.471_none_5f12f35059003107\TiWorker.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-16 16:39:09    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\programdata_microsoft_windows_defender_definition_updates_default_44e57bb5c1e3d0e8.cdf-ms Handle ID: 0x43c Process Information: Process ID: 0x1798 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.471_none_5f12f35059003107\TiWorker.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13824  2020-03-16 16:39:09    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-16 16:39:09    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-16 16:39:09    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13826  2020-03-16 16:39:09    Microsoft-Windows-Security-Auditing  4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x1c78 Process Name: C:\Windows\System32\VSSVC.exe
Security  Audit Success  13826  2020-03-16 16:39:09    Microsoft-Windows-Security-Auditing  4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x1c78 Process Name: C:\Windows\System32\VSSVC.exe
Security  Audit Success  13826  2020-03-16 16:39:09    Microsoft-Windows-Security-Auditing  4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x1c78 Process Name: C:\Windows\System32\VSSVC.exe
Security  Audit Success  13826  2020-03-16 16:39:09    Microsoft-Windows-Security-Auditing  4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x1c78 Process Name: C:\Windows\System32\VSSVC.exe
Security  Audit Success  13824  2020-03-16 16:39:10    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-1000 Account Name: defaultuser0 Account Domain: DESKTOP-ABPHKLO Process Information: Process ID: 0x15a4 Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe
Security  Audit Success  13824  2020-03-16 16:39:10    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-1000 Account Name: defaultuser0 Account Domain: DESKTOP-ABPHKLO Process Information: Process ID: 0x15a4 Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe
Security  Audit Success  12544  2020-03-16 16:39:14    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x318 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-16 16:39:14    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  13312  2020-03-18 10:09:46    Microsoft-Windows-Security-Auditing  4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x78 New Process Name: ????-??6?4????0--?0??????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x4 Creator Process Name: ??????? Process Command Line: ????0--?0??????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
Security  Audit Success  13312  2020-03-18 10:09:46    Microsoft-Windows-Security-Auditing  4696: A primary token was assigned to process. Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Process Information: Process ID: 0x4 Process Name: ? Target Process: Target Process ID: 0x78 Target Process Name: Registry New Token Information: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x3e7
Security  Audit Success  13312  2020-03-18 10:09:46    Microsoft-Windows-Security-Auditing  4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1a4 New Process Name: ??????????????-??6?4????0--?0??????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x4 Creator Process Name: ??????? Process Command Line: ????0--?0??????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
Security  Audit Success  13573  2020-03-18 10:09:46    Microsoft-Windows-Security-Auditing  4826: Boot Configuration Data loaded. Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 General Settings: Load Options: - Advanced Options: %%1843 Configuration Access Policy: %%1846 System Event Logging: %%1843 Kernel Debugging: %%1843 VSM Launch Type: %%1848 Signature Settings: Test Signing: %%1843 Flight Signing: %%1843 Disable Integrity Checks: %%1843 HyperVisor Settings: HyperVisor Load Options: - HyperVisor Launch Type: %%1848 HyperVisor Debugging: %%1843
Security  Audit Success  13312  2020-03-18 10:09:54    Microsoft-Windows-Security-Auditing  4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x228 New Process Name: ???????????????e??? ????????? ???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1a4 Creator Process Name: ????????????????????4 Process Command Line: ????0--?0????????????????????4 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
Security  Audit Success  13312  2020-03-18 10:09:55    Microsoft-Windows-Security-Auditing  4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x264 New Process Name: ???????????????e??? ????????? ???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1a4 Creator Process Name: ????????????????????4 Process Command Line: ????0--?0????????????????????4 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
Security  Audit Success  13312  2020-03-18 10:09:55    Microsoft-Windows-Security-Auditing  4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x274 New Process Name: ??????????????-??6??4????0--?0????????????????????4? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1a4 Creator Process Name: ????????????????????4? Process Command Line: ????0--?0????????????????????4? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
Security  Audit Success  13312  2020-03-18 10:09:55    Microsoft-Windows-Security-Auditing  4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x27c New Process Name: ??????????????e??? ????????? ???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x274 Creator Process Name: ????????????????????4 Process Command Line: ????0--?0????????????????????4 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
Security  Audit Success  13312  2020-03-18 10:09:55    Microsoft-Windows-Security-Auditing  4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2c8 New Process Name: ??????????????-??6??4????0--?0????????????????????4? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1a4 Creator Process Name: ????????????????????4? Process Command Line: ????0--?0????????????????????4? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
Security  Audit Success  13312  2020-03-18 10:09:55    Microsoft-Windows-Security-Auditing  4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2d0 New Process Name: ???????????????e??? ????????? ???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x274 Creator Process Name: ????????????????????4 Process Command Line: ????0--?0????????????????????4 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
Security  Audit Success  13312  2020-03-18 10:09:55    Microsoft-Windows-Security-Auditing  4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2d8 New Process Name: ??????????????e??? ????????? ???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x2c8 Creator Process Name: ????????????????????4 Process Command Line: ????0--?0????????????????????4 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
Security  Audit Success  13312  2020-03-18 10:09:55    Microsoft-Windows-Security-Auditing  4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x318 New Process Name: ????????????????-??6??0????0--?0???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x2d0 Creator Process Name: ???????????????e?????? Process Command Line: ????0--?0???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
Security  Audit Success  13312  2020-03-18 10:09:55    Microsoft-Windows-Security-Auditing  4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x338 New Process Name: ????????????????-??6??8????0--?0????????????????????4? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x2c8 Creator Process Name: ????????????????????4? Process Command Line: ????0--?0????????????????????4? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
Security  Audit Success  101  2020-03-18 10:09:56    Microsoft-Windows-Eventlog  1101: Audit events have been dropped by the transport. 0
Security  Audit Success  12288  2020-03-18 10:09:56    Microsoft-Windows-Security-Auditing  4608: Windows is starting up. This event is logged when LSASS.EXE starts and the auditing subsystem is initialized.
Security  Audit Success  12292  2020-03-18 10:09:56    Microsoft-Windows-Security-Auditing  5033: The Windows Firewall Driver started successfully.
Security  Audit Success  12544  2020-03-18 10:09:56    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 0 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: - New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4 Process Name: ? Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: - Authentication Package: - Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:09:56    Microsoft-Windows-Security-Auditing  4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: UMFD-0 Account Domain: Font Driver Host Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x2d0 Process Name: C:\Windows\System32\wininit.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
Security  Audit Success  12544  2020-03-18 10:09:56    Microsoft-Windows-Security-Auditing  4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: UMFD-1 Account Domain: Font Driver Host Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x338 Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
Security  Audit Success  12544  2020-03-18 10:09:56    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1842 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-96-0-0 Account Name: UMFD-0 Account Domain: Font Driver Host Logon ID: 0x11cfb Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2d0 Process Name: C:\Windows\System32\wininit.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:09:56    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1842 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-96-0-1 Account Name: UMFD-1 Account Domain: Font Driver Host Logon ID: 0x11d03 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x338 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:09:56    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x318 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:09:56    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x318 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:09:56    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x318 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:09:56    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x318 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:09:56    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x318 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:09:56    Microsoft-Windows-Security-Auditing  4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DWM-1 Account Domain: Window Manager Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x338 Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
Security  Audit Success  12544  2020-03-18 10:09:56    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1842 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x194e0 Linked Logon ID: 0x19509 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x338 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:09:56    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1842 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x19509 Linked Logon ID: 0x194e0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x338 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:09:56    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x318 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:09:56    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x318 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:09:56    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x318 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:09:56    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x318 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:09:56    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x318 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:09:56    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x318 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:09:56    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x318 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:09:56    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x318 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:09:56    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x318 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:09:56    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x318 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:09:56    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x318 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:09:56    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x318 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:09:56    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x318 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:09:56    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x318 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:09:56    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x318 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:09:56    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x318 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:09:56    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x318 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 10:09:56    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:09:56    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:09:56    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:09:56    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e4 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:09:56    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:09:56    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x194e0 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:09:56    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x19509 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege
Security  Audit Success  12548  2020-03-18 10:09:56    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:09:56    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:09:56    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:09:56    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:09:56    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:09:56    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:09:56    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:09:56    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:09:56    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:09:56    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:09:56    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:09:56    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:09:56    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:09:56    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:09:56    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:09:56    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:09:56    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  13312  2020-03-18 10:09:56    Microsoft-Windows-Security-Auditing  4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x364 New Process Name: ??????????????e??? ????????? ???????????????????????4? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x2d0 Creator Process Name: ???????????????e?????? Process Command Line: ????0--?0???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
Security  Audit Success  13568  2020-03-18 10:09:56    Microsoft-Windows-Security-Auditing  4902: The Per-user audit policy table was created. Number of Elements: 0 Policy ID: 0x11b84
Security  Audit Success  13824  2020-03-18 10:09:56    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:09:56    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:09:56    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  12290  2020-03-18 10:09:57    Microsoft-Windows-Security-Auditing  5061: Cryptographic operation. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1000 Account Name: defaultuser0 Account Domain: DESKTOP-ABPHKLO Logon ID: 0x45c43 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: %%2500 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
Security  Audit Success  12290  2020-03-18 10:09:57    Microsoft-Windows-Security-Auditing  5061: Cryptographic operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: %%2500 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
Security  Audit Success  12292  2020-03-18 10:09:57    Microsoft-Windows-Security-Auditing  5024: The Windows Firewall service started successfully.
Security  Audit Success  12292  2020-03-18 10:09:57    Microsoft-Windows-Security-Auditing  5058: Key file operation. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1000 Account Name: defaultuser0 Account Domain: DESKTOP-ABPHKLO Logon ID: 0x45c43 Process Information: Process ID: 5412 Process Creation Time: 2020-03-18T02:09:57.701977100Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: Microsoft Connected Devices Platform device certificate Key Type: %%2500 Key File Operation Information: File Path: C:\Users\defaultuser0\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_7fbcc963-8e43-4455-80cd-825694131a80 Operation: %%2458 Return Code: 0x0
Security  Audit Success  12292  2020-03-18 10:09:57    Microsoft-Windows-Security-Auditing  5059: Key migration operation. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1000 Account Name: defaultuser0 Account Domain: DESKTOP-ABPHKLO Logon ID: 0x45c43 Process Information: Process ID: 5412 Process Creation Time: 2020-03-18T02:09:57.701977100Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: %%2500 Additional Information: Operation: %%2464 Return Code: 0x0
Security  Audit Success  12292  2020-03-18 10:09:57    Microsoft-Windows-Security-Auditing  5058: Key file operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Process Information: Process ID: 5824 Process Creation Time: 2020-03-18T02:09:57.846191300Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: Microsoft Connected Devices Platform device certificate Key Type: %%2500 Key File Operation Information: File Path: C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_7fbcc963-8e43-4455-80cd-825694131a80 Operation: %%2458 Return Code: 0x0
Security  Audit Success  12292  2020-03-18 10:09:57    Microsoft-Windows-Security-Auditing  5059: Key migration operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Process Information: Process ID: 5824 Process Creation Time: 2020-03-18T02:09:57.846191300Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: %%2500 Additional Information: Operation: %%2464 Return Code: 0x0
Security  Audit Success  12544  2020-03-18 10:09:57    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x318 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:09:57    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x318 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:09:57    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x318 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:09:57    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x318 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:09:57    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x318 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:09:57    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x318 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:09:57    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x318 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:09:57    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x318 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:09:57    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x318 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:09:57    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x318 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:09:57    Microsoft-Windows-Security-Auditing  4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: defaultuser0 Account Domain: DESKTOP-ABPHKLO Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4b8 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: 127.0.0.1 Port: 0 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
Security  Audit Success  12544  2020-03-18 10:09:57    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-4230960370-218822903-690480705-1000 Account Name: defaultuser0 Account Domain: DESKTOP-ABPHKLO Logon ID: 0x45bec Linked Logon ID: 0x45c43 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4b8 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: DESKTOP-ABPHKLO Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:09:57    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-4230960370-218822903-690480705-1000 Account Name: defaultuser0 Account Domain: DESKTOP-ABPHKLO Logon ID: 0x45c43 Linked Logon ID: 0x45bec Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4b8 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: DESKTOP-ABPHKLO Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:09:57    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x318 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 10:09:57    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:09:57    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:09:57    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:09:57    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:09:57    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:09:57    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:09:57    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:09:57    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:09:57    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:09:57    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:09:57    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1000 Account Name: defaultuser0 Account Domain: DESKTOP-ABPHKLO Logon ID: 0x45bec Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:09:57    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  13824  2020-03-18 10:09:57    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1000 Account Name: defaultuser0 Account Domain: DESKTOP-ABPHKLO Logon ID: 0x45c43 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:09:57    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1000 Account Name: defaultuser0 Account Domain: DESKTOP-ABPHKLO Logon ID: 0x45c43 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:09:57    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:09:57    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:09:57    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13826  2020-03-18 10:09:57    Microsoft-Windows-Security-Auditing  4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-20 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e4 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0xfd0 Process Name: C:\Windows\System32\svchost.exe
Security  Audit Success  13826  2020-03-18 10:09:57    Microsoft-Windows-Security-Auditing  4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0xffc Process Name: C:\Windows\System32\svchost.exe
Security  Audit Success  13826  2020-03-18 10:09:57    Microsoft-Windows-Security-Auditing  4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x6c8 Process Name: C:\Windows\System32\svchost.exe
Security  Audit Success  12544  2020-03-18 10:09:58    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x318 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:09:58    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x318 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12545  2020-03-18 10:09:58    Microsoft-Windows-Security-Auditing  4647: User initiated logoff: Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1000 Account Name: defaultuser0 Account Domain: DESKTOP-ABPHKLO Logon ID: 0x45c43 This event is generated when a logoff is initiated. No further user-initiated activity can occur. This event can be interpreted as a logoff event.
Security  Audit Success  12548  2020-03-18 10:09:58    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:09:58    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  13824  2020-03-18 10:09:58    Microsoft-Windows-Security-Auditing  4725: A user account was disabled. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-4230960370-218822903-690480705-1000 Account Name: defaultuser0 Account Domain: DESKTOP-ABPHKLO
Security  Audit Success  13824  2020-03-18 10:09:58    Microsoft-Windows-Security-Auditing  4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-4230960370-218822903-690480705-1000 Account Name: defaultuser0 Account Domain: DESKTOP-ABPHKLO Changed Attributes: SAM Account Name: defaultuser0 Display Name: %%1793 User Principal Name: - Home Directory: %%1793 Home Drive: %%1793 Script Path: %%1793 Profile Path: %%1793 User Workstations: %%1793 Password Last Set: 3/16/2020 1:39:01 AM Account Expires: %%1794 Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x214 New UAC Value: 0x211 User Account Control: %%2080 %%2050 User Parameters: %%1793 SID History: - Logon Hours: %%1797 Additional Information: Privileges: -
Security  Audit Success  13824  2020-03-18 10:09:58    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-500 Account Name: Administrator Account Domain: DESKTOP-ABPHKLO Process Information: Process ID: 0x4b8 Process Name: C:\Windows\System32\svchost.exe
Security  Audit Success  13824  2020-03-18 10:09:58    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-503 Account Name: DefaultAccount Account Domain: DESKTOP-ABPHKLO Process Information: Process ID: 0x4b8 Process Name: C:\Windows\System32\svchost.exe
Security  Audit Success  13824  2020-03-18 10:09:58    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-1000 Account Name: defaultuser0 Account Domain: DESKTOP-ABPHKLO Process Information: Process ID: 0x4b8 Process Name: C:\Windows\System32\svchost.exe
Security  Audit Success  13824  2020-03-18 10:09:58    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-ABPHKLO Process Information: Process ID: 0x4b8 Process Name: C:\Windows\System32\svchost.exe
Security  Audit Success  13824  2020-03-18 10:09:58    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-504 Account Name: WDAGUtilityAccount Account Domain: DESKTOP-ABPHKLO Process Information: Process ID: 0x4b8 Process Name: C:\Windows\System32\svchost.exe
Security  Audit Success  13826  2020-03-18 10:09:58    Microsoft-Windows-Security-Auditing  4733: A member was removed from a security-enabled local group. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Member: Security ID: S-1-5-21-4230960370-218822903-690480705-1000 Account Name: - Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Additional Information: Privileges: -
Security  Audit Success  13826  2020-03-18 10:09:58    Microsoft-Windows-Security-Auditing  4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x19b4 Process Name: C:\Windows\System32\SearchIndexer.exe
Security  Audit Success  103  2020-03-18 10:09:59    Microsoft-Windows-Eventlog  1100: The event logging service has shut down.
Security  Audit Success  13312  2020-03-18 10:10:13    Microsoft-Windows-Security-Auditing  4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x78 New Process Name: ????-??6?4????0--?0??????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x4 Creator Process Name: ??????? Process Command Line: ????0--?0??????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
Security  Audit Success  13312  2020-03-18 10:10:13    Microsoft-Windows-Security-Auditing  4696: A primary token was assigned to process. Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Process Information: Process ID: 0x4 Process Name: ? Target Process: Target Process ID: 0x78 Target Process Name: Registry New Token Information: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x3e7
Security  Audit Success  13312  2020-03-18 10:10:13    Microsoft-Windows-Security-Auditing  4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1a0 New Process Name: ??????????????-??6?4????0--?0??????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x4 Creator Process Name: ??????? Process Command Line: ????0--?0??????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
Security  Audit Success  13312  2020-03-18 10:10:13    Microsoft-Windows-Security-Auditing  4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1b8 New Process Name: ???????????????e??? ????????? ???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1a0 Creator Process Name: ????????????????????4 Process Command Line: ????0--?0????????????????????4 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
Security  Audit Success  13312  2020-03-18 10:10:13    Microsoft-Windows-Security-Auditing  4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x208 New Process Name: ??????????????-??6??0????0--?0????????????????????4? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1a0 Creator Process Name: ????????????????????4? Process Command Line: ????0--?0????????????????????4? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
Security  Audit Success  13573  2020-03-18 10:10:13    Microsoft-Windows-Security-Auditing  4826: Boot Configuration Data loaded. Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 General Settings: Load Options: - Advanced Options: %%1843 Configuration Access Policy: %%1846 System Event Logging: %%1843 Kernel Debugging: %%1843 VSM Launch Type: %%1848 Signature Settings: Test Signing: %%1843 Flight Signing: %%1843 Disable Integrity Checks: %%1843 HyperVisor Settings: HyperVisor Load Options: - HyperVisor Launch Type: %%1848 HyperVisor Debugging: %%1843
Security  Audit Success  12288  2020-03-18 10:10:21    Microsoft-Windows-Security-Auditing  4608: Windows is starting up. This event is logged when LSASS.EXE starts and the auditing subsystem is initialized.
Security  Audit Success  12544  2020-03-18 10:10:21    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 0 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: - New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4 Process Name: ? Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: - Authentication Package: - Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:10:21    Microsoft-Windows-Security-Auditing  4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: UMFD-1 Account Domain: Font Driver Host Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x348 Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
Security  Audit Success  12544  2020-03-18 10:10:21    Microsoft-Windows-Security-Auditing  4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: UMFD-0 Account Domain: Font Driver Host Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x2cc Process Name: C:\Windows\System32\wininit.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
Security  Audit Success  12544  2020-03-18 10:10:21    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x32c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:10:21    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1842 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-96-0-0 Account Name: UMFD-0 Account Domain: Font Driver Host Logon ID: 0x101a6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2cc Process Name: C:\Windows\System32\wininit.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:10:21    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1842 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-96-0-1 Account Name: UMFD-1 Account Domain: Font Driver Host Logon ID: 0x101e8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x348 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:10:21    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x32c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:10:21    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x32c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:10:21    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x32c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:10:21    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x32c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:10:21    Microsoft-Windows-Security-Auditing  4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DWM-1 Account Domain: Window Manager Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x348 Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
Security  Audit Success  12544  2020-03-18 10:10:21    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1842 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x17b10 Linked Logon ID: 0x17b26 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x348 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:10:21    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1842 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x17b26 Linked Logon ID: 0x17b10 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x348 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:10:21    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x32c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:10:21    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x32c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 10:10:21    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:10:21    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:10:21    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:10:21    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e4 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:10:21    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:10:21    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x17b10 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:10:21    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x17b26 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege
Security  Audit Success  12548  2020-03-18 10:10:21    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:10:21    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  13312  2020-03-18 10:10:21    Microsoft-Windows-Security-Auditing  4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x274 New Process Name: ??????????????e??? ????????? ???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x208 Creator Process Name: ????????????????????4 Process Command Line: ????0--?0????????????????????4 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
Security  Audit Success  13312  2020-03-18 10:10:21    Microsoft-Windows-Security-Auditing  4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2c4 New Process Name: ??????????????-??6??0????0--?0????????????????????4? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1a0 Creator Process Name: ????????????????????4? Process Command Line: ????0--?0????????????????????4? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
Security  Audit Success  13312  2020-03-18 10:10:21    Microsoft-Windows-Security-Auditing  4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2cc New Process Name: ???????????????e??? ????????? ???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x208 Creator Process Name: ????????????????????4 Process Command Line: ????0--?0????????????????????4 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
Security  Audit Success  13312  2020-03-18 10:10:21    Microsoft-Windows-Security-Auditing  4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2d4 New Process Name: ??????????????e??? ????????? ???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x2c4 Creator Process Name: ????????????????????4 Process Command Line: ????0--?0????????????????????4 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
Security  Audit Success  13312  2020-03-18 10:10:21    Microsoft-Windows-Security-Auditing  4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x32c New Process Name: ????????????????-??6??c????0--?0???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x2cc Creator Process Name: ???????????????e?????? Process Command Line: ????0--?0???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
Security  Audit Success  13312  2020-03-18 10:10:21    Microsoft-Windows-Security-Auditing  4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x348 New Process Name: ????????????????-??6??4????0--?0????????????????????4? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x2c4 Creator Process Name: ????????????????????4? Process Command Line: ????0--?0????????????????????4? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
Security  Audit Success  13312  2020-03-18 10:10:21    Microsoft-Windows-Security-Auditing  4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x388 New Process Name: ??????????????e??? ????????? ???????????????????????4? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x2cc Creator Process Name: ???????????????e?????? Process Command Line: ????0--?0???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
Security  Audit Success  13568  2020-03-18 10:10:21    Microsoft-Windows-Security-Auditing  4902: The Per-user audit policy table was created. Number of Elements: 0 Policy ID: 0xffea
Security  Audit Success  12544  2020-03-18 10:10:25    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x32c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:10:25    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x32c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 10:10:25    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:10:25    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12544  2020-03-18 10:10:26    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x32c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 10:10:26    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12292  2020-03-18 10:10:27    Microsoft-Windows-Security-Auditing  5033: The Windows Firewall Driver started successfully.
Security  Audit Success  12544  2020-03-18 10:10:27    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x32c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:10:27    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x32c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:10:27    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x32c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:10:27    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x32c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:10:27    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x32c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:10:27    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x32c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:10:27    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x32c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:10:27    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x32c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:10:27    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x32c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:10:27    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x32c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:10:27    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x32c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:10:27    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x32c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:10:27    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x32c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:10:27    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x32c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:10:27    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x32c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:10:27    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x32c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:10:27    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x32c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:10:27    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x32c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:10:27    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x32c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:10:27    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x32c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:10:27    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x32c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:10:27    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x32c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 10:10:27    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:10:27    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:10:27    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:10:27    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:10:27    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:10:27    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:10:27    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:10:27    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:10:27    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:10:27    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:10:27    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:10:27    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:10:27    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:10:27    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:10:27    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:10:27    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:10:27    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:10:27    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:10:27    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:10:27    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:10:27    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:10:27    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  13824  2020-03-18 10:10:27    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:10:27    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:10:27    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  12292  2020-03-18 10:10:28    Microsoft-Windows-Security-Auditing  5024: The Windows Firewall service started successfully.
Security  Audit Success  13826  2020-03-18 10:10:28    Microsoft-Windows-Security-Auditing  4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-20 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e4 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0xf84 Process Name: C:\Windows\System32\svchost.exe
Security  Audit Success  13826  2020-03-18 10:10:28    Microsoft-Windows-Security-Auditing  4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0xfa0 Process Name: C:\Windows\System32\svchost.exe
Security  Audit Success  12544  2020-03-18 10:10:29    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x32c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 10:10:29    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  13568  2020-03-18 10:10:29    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Temp\winre\ExtractedFromWim Handle ID: 0x7a0 Process Information: Process ID: 0x660 Process Name: C:\Windows\System32\oobe\msoobe.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13824  2020-03-18 10:10:38    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:10:38    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:10:38    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:10:38    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:10:38    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:10:38    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  12544  2020-03-18 10:12:10    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x32c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 10:12:10    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  13826  2020-03-18 10:12:14    Microsoft-Windows-Security-Auditing  4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0xe94 Process Name: C:\Windows\System32\svchost.exe
Security  Audit Success  12544  2020-03-18 10:12:15    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x32c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 10:12:15    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  13824  2020-03-18 10:12:24    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:12:24    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:12:24    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  12544  2020-03-18 10:13:12    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x32c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 10:13:12    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12290  2020-03-18 10:13:13    Microsoft-Windows-Security-Auditing  5061: Cryptographic operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: %%2500 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
Security  Audit Success  12292  2020-03-18 10:13:13    Microsoft-Windows-Security-Auditing  5058: Key file operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Process Information: Process ID: 3832 Process Creation Time: 2020-03-18T02:13:13.379195500Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: Microsoft Connected Devices Platform device certificate Key Type: %%2500 Key File Operation Information: File Path: C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_7fbcc963-8e43-4455-80cd-825694131a80 Operation: %%2458 Return Code: 0x0
Security  Audit Success  12292  2020-03-18 10:13:13    Microsoft-Windows-Security-Auditing  5059: Key migration operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Process Information: Process ID: 3832 Process Creation Time: 2020-03-18T02:13:13.379195500Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: %%2500 Additional Information: Operation: %%2464 Return Code: 0x0
Security  Audit Success  12544  2020-03-18 10:13:13    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x32c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 10:13:13    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12544  2020-03-18 10:13:14    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x32c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:13:14    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x32c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 10:13:14    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:13:14    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  13826  2020-03-18 10:13:14    Microsoft-Windows-Security-Auditing  4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x2ec Process Name: C:\Windows\System32\SearchIndexer.exe
Security  Audit Success  13824  2020-03-18 10:13:27    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:13:27    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:13:27    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  12544  2020-03-18 10:14:29    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x32c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 10:14:29    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12544  2020-03-18 10:14:30    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x32c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:14:30    Microsoft-Windows-Security-Auditing  4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: defaultuser0 Account Domain: DESKTOP-UT5JEJD Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x660 Process Name: C:\Windows\System32\oobe\msoobe.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
Security  Audit Success  12544  2020-03-18 10:14:30    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-4230960370-218822903-690480705-1001 Account Name: defaultuser0 Account Domain: DESKTOP-UT5JEJD Logon ID: 0x82171 Linked Logon ID: 0x821b3 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x660 Process Name: C:\Windows\System32\oobe\msoobe.exe Network Information: Workstation Name: DESKTOP-ABPHKLO Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:14:30    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-4230960370-218822903-690480705-1001 Account Name: defaultuser0 Account Domain: DESKTOP-UT5JEJD Logon ID: 0x821b3 Linked Logon ID: 0x82171 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x660 Process Name: C:\Windows\System32\oobe\msoobe.exe Network Information: Workstation Name: DESKTOP-ABPHKLO Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:14:30    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x32c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:14:30    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x32c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 10:14:30    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:14:30    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1001 Account Name: defaultuser0 Account Domain: DESKTOP-UT5JEJD Logon ID: 0x82171 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:14:30    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:14:30    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  13824  2020-03-18 10:14:30    Microsoft-Windows-Security-Auditing  4781: The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-32-544 Account Domain: Builtin Old Account Name: Administrators New Account Name: Administrators Additional Information: Privileges: -
Security  Audit Success  13824  2020-03-18 10:14:30    Microsoft-Windows-Security-Auditing  4781: The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-32-545 Account Domain: Builtin Old Account Name: Users New Account Name: Users Additional Information: Privileges: -
Security  Audit Success  13824  2020-03-18 10:14:30    Microsoft-Windows-Security-Auditing  4781: The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-32-546 Account Domain: Builtin Old Account Name: Guests New Account Name: Guests Additional Information: Privileges: -
Security  Audit Success  13824  2020-03-18 10:14:30    Microsoft-Windows-Security-Auditing  4781: The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-32-558 Account Domain: Builtin Old Account Name: Performance Monitor Users New Account Name: Performance Monitor Users Additional Information: Privileges: -
Security  Audit Success  13824  2020-03-18 10:14:30    Microsoft-Windows-Security-Auditing  4781: The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-32-559 Account Domain: Builtin Old Account Name: Performance Log Users New Account Name: Performance Log Users Additional Information: Privileges: -
Security  Audit Success  13824  2020-03-18 10:14:30    Microsoft-Windows-Security-Auditing  4781: The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-32-562 Account Domain: Builtin Old Account Name: Distributed COM Users New Account Name: Distributed COM Users Additional Information: Privileges: -
Security  Audit Success  13824  2020-03-18 10:14:30    Microsoft-Windows-Security-Auditing  4781: The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-32-568 Account Domain: Builtin Old Account Name: IIS_IUSRS New Account Name: IIS_IUSRS Additional Information: Privileges: -
Security  Audit Success  13824  2020-03-18 10:14:30    Microsoft-Windows-Security-Auditing  4781: The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-32-573 Account Domain: Builtin Old Account Name: Event Log Readers New Account Name: Event Log Readers Additional Information: Privileges: -
Security  Audit Success  13824  2020-03-18 10:14:30    Microsoft-Windows-Security-Auditing  4781: The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-32-580 Account Domain: Builtin Old Account Name: Remote Management Users New Account Name: Remote Management Users Additional Information: Privileges: -
Security  Audit Success  13824  2020-03-18 10:14:30    Microsoft-Windows-Security-Auditing  4781: The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-32-581 Account Domain: Builtin Old Account Name: System Managed Accounts Group New Account Name: System Managed Accounts Group Additional Information: Privileges: -
Security  Audit Success  13824  2020-03-18 10:14:30    Microsoft-Windows-Security-Auditing  4781: The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-32-583 Account Domain: Builtin Old Account Name: Device Owners New Account Name: Device Owners Additional Information: Privileges: -
Security  Audit Success  13824  2020-03-18 10:14:30    Microsoft-Windows-Security-Auditing  4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-4230960370-218822903-690480705-500 Account Name: Administrator Account Domain: DESKTOP-UT5JEJD Changed Attributes: SAM Account Name: Administrator Display Name: %%1793 User Principal Name: - Home Directory: %%1793 Home Drive: %%1793 Script Path: %%1793 Profile Path: %%1793 User Workstations: %%1793 Password Last Set: %%1794 Account Expires: %%1794 Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x211 New UAC Value: 0x211 User Account Control: - User Parameters: %%1793 SID History: - Logon Hours: %%1797 Additional Information: Privileges: -
Security  Audit Success  13824  2020-03-18 10:14:30    Microsoft-Windows-Security-Auditing  4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-4230960370-218822903-690480705-500 Account Name: Administrator Account Domain: DESKTOP-UT5JEJD Changed Attributes: SAM Account Name: Administrator Display Name: %%1793 User Principal Name: - Home Directory: %%1793 Home Drive: %%1793 Script Path: %%1793 Profile Path: %%1793 User Workstations: %%1793 Password Last Set: %%1794 Account Expires: %%1794 Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x211 New UAC Value: 0x211 User Account Control: - User Parameters: %%1793 SID History: - Logon Hours: %%1797 Additional Information: Privileges: -
Security  Audit Success  13824  2020-03-18 10:14:30    Microsoft-Windows-Security-Auditing  4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Changed Attributes: SAM Account Name: Guest Display Name: %%1793 User Principal Name: - Home Directory: %%1793 Home Drive: %%1793 Script Path: %%1793 Profile Path: %%1793 User Workstations: %%1793 Password Last Set: %%1794 Account Expires: %%1794 Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x215 New UAC Value: 0x215 User Account Control: - User Parameters: %%1793 SID History: - Logon Hours: %%1797 Additional Information: Privileges: -
Security  Audit Success  13824  2020-03-18 10:14:30    Microsoft-Windows-Security-Auditing  4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Changed Attributes: SAM Account Name: Guest Display Name: %%1793 User Principal Name: - Home Directory: %%1793 Home Drive: %%1793 Script Path: %%1793 Profile Path: %%1793 User Workstations: %%1793 Password Last Set: %%1794 Account Expires: %%1794 Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x215 New UAC Value: 0x215 User Account Control: - User Parameters: %%1793 SID History: - Logon Hours: %%1797 Additional Information: Privileges: -
Security  Audit Success  13824  2020-03-18 10:14:30    Microsoft-Windows-Security-Auditing  4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-4230960370-218822903-690480705-503 Account Name: DefaultAccount Account Domain: DESKTOP-UT5JEJD Changed Attributes: SAM Account Name: DefaultAccount Display Name: %%1793 User Principal Name: - Home Directory: %%1793 Home Drive: %%1793 Script Path: %%1793 Profile Path: %%1793 User Workstations: %%1793 Password Last Set: %%1794 Account Expires: %%1794 Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x215 New UAC Value: 0x215 User Account Control: - User Parameters: %%1793 SID History: - Logon Hours: %%1797 Additional Information: Privileges: -
Security  Audit Success  13824  2020-03-18 10:14:30    Microsoft-Windows-Security-Auditing  4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-4230960370-218822903-690480705-503 Account Name: DefaultAccount Account Domain: DESKTOP-UT5JEJD Changed Attributes: SAM Account Name: DefaultAccount Display Name: %%1793 User Principal Name: - Home Directory: %%1793 Home Drive: %%1793 Script Path: %%1793 Profile Path: %%1793 User Workstations: %%1793 Password Last Set: %%1794 Account Expires: %%1794 Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x215 New UAC Value: 0x215 User Account Control: - User Parameters: %%1793 SID History: - Logon Hours: %%1797 Additional Information: Privileges: -
Security  Audit Success  13824  2020-03-18 10:14:30    Microsoft-Windows-Security-Auditing  4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-4230960370-218822903-690480705-504 Account Name: WDAGUtilityAccount Account Domain: DESKTOP-UT5JEJD Changed Attributes: SAM Account Name: WDAGUtilityAccount Display Name: %%1793 User Principal Name: - Home Directory: %%1793 Home Drive: %%1793 Script Path: %%1793 Profile Path: %%1793 User Workstations: %%1793 Password Last Set: 12/26/2019 9:35:46 AM Account Expires: %%1794 Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x11 New UAC Value: 0x11 User Account Control: - User Parameters: %%1793 SID History: - Logon Hours: %%1797 Additional Information: Privileges: -
Security  Audit Success  13824  2020-03-18 10:14:30    Microsoft-Windows-Security-Auditing  4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-4230960370-218822903-690480705-504 Account Name: WDAGUtilityAccount Account Domain: DESKTOP-UT5JEJD Changed Attributes: SAM Account Name: WDAGUtilityAccount Display Name: %%1793 User Principal Name: - Home Directory: %%1793 Home Drive: %%1793 Script Path: %%1793 Profile Path: %%1793 User Workstations: %%1793 Password Last Set: 12/26/2019 9:35:46 AM Account Expires: %%1794 Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x11 New UAC Value: 0x11 User Account Control: - User Parameters: %%1793 SID History: - Logon Hours: %%1797 Additional Information: Privileges: -
Security  Audit Success  13824  2020-03-18 10:14:30    Microsoft-Windows-Security-Auditing  4781: The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-4230960370-218822903-690480705-513 Account Domain: DESKTOP-UT5JEJD Old Account Name: None New Account Name: None Additional Information: Privileges: -
Security  Audit Success  13824  2020-03-18 10:14:30    Microsoft-Windows-Security-Auditing  4726: A user account was deleted. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-4230960370-218822903-690480705-1000 Account Name: defaultuser0 Account Domain: DESKTOP-UT5JEJD Additional Information: Privileges -
Security  Audit Success  13824  2020-03-18 10:14:30    Microsoft-Windows-Security-Auditing  4720: A user account was created. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 New Account: Security ID: S-1-5-21-4230960370-218822903-690480705-1001 Account Name: defaultuser0 Account Domain: DESKTOP-UT5JEJD Attributes: SAM Account Name: defaultuser0 Display Name: %%1793 User Principal Name: - Home Directory: %%1793 Home Drive: %%1793 Script Path: %%1793 Profile Path: %%1793 User Workstations: %%1793 Password Last Set: %%1794 Account Expires: %%1794 Primary Group ID: 513 Allowed To Delegate To: - Old UAC Value: 0x0 New UAC Value: 0x15 User Account Control: %%2080 %%2082 %%2084 User Parameters: %%1793 SID History: - Logon Hours: %%1797 Additional Information: Privileges -
Security  Audit Success  13824  2020-03-18 10:14:30    Microsoft-Windows-Security-Auditing  4722: A user account was enabled. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-4230960370-218822903-690480705-1001 Account Name: defaultuser0 Account Domain: DESKTOP-UT5JEJD
Security  Audit Success  13824  2020-03-18 10:14:30    Microsoft-Windows-Security-Auditing  4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-4230960370-218822903-690480705-1001 Account Name: defaultuser0 Account Domain: DESKTOP-UT5JEJD Changed Attributes: SAM Account Name: defaultuser0 Display Name: %%1793 User Principal Name: - Home Directory: %%1793 Home Drive: %%1793 Script Path: %%1793 Profile Path: %%1793 User Workstations: %%1793 Password Last Set: %%1794 Account Expires: %%1794 Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x15 New UAC Value: 0x14 User Account Control: %%2048 User Parameters: %%1793 SID History: - Logon Hours: %%1797 Additional Information: Privileges: -
Security  Audit Success  13824  2020-03-18 10:14:30    Microsoft-Windows-Security-Auditing  4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-4230960370-218822903-690480705-1001 Account Name: defaultuser0 Account Domain: DESKTOP-UT5JEJD Changed Attributes: SAM Account Name: defaultuser0 Display Name: %%1793 User Principal Name: - Home Directory: %%1793 Home Drive: %%1793 Script Path: %%1793 Profile Path: %%1793 User Workstations: %%1793 Password Last Set: 3/18/2020 10:14:30 AM Account Expires: %%1794 Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x14 New UAC Value: 0x14 User Account Control: - User Parameters: - SID History: - Logon Hours: %%1797 Additional Information: Privileges: -
Security  Audit Success  13824  2020-03-18 10:14:30    Microsoft-Windows-Security-Auditing  4724: An attempt was made to reset an account's password. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-4230960370-218822903-690480705-1001 Account Name: defaultuser0 Account Domain: DESKTOP-UT5JEJD
Security  Audit Success  13824  2020-03-18 10:14:30    Microsoft-Windows-Security-Auditing  4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-4230960370-218822903-690480705-1001 Account Name: defaultuser0 Account Domain: DESKTOP-UT5JEJD Changed Attributes: SAM Account Name: defaultuser0 Display Name: %%1793 User Principal Name: - Home Directory: %%1793 Home Drive: %%1793 Script Path: %%1793 Profile Path: %%1793 User Workstations: %%1793 Password Last Set: 3/18/2020 10:14:30 AM Account Expires: %%1794 Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x14 New UAC Value: 0x214 User Account Control: %%2089 User Parameters: - SID History: - Logon Hours: %%1797 Additional Information: Privileges: -
Security  Audit Success  13824  2020-03-18 10:14:30    Microsoft-Windows-Security-Auditing  4724: An attempt was made to reset an account's password. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-4230960370-218822903-690480705-1001 Account Name: defaultuser0 Account Domain: DESKTOP-UT5JEJD
Security  Audit Success  13826  2020-03-18 10:14:30    Microsoft-Windows-Security-Auditing  4735: A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -
Security  Audit Success  13826  2020-03-18 10:14:30    Microsoft-Windows-Security-Auditing  4735: A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Changed Attributes: SAM Account Name: Administrators SID History: - Additional Information: Privileges: -
Security  Audit Success  13826  2020-03-18 10:14:30    Microsoft-Windows-Security-Auditing  4735: A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-545 Group Name: Users Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -
Security  Audit Success  13826  2020-03-18 10:14:30    Microsoft-Windows-Security-Auditing  4735: A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-545 Group Name: Users Group Domain: Builtin Changed Attributes: SAM Account Name: Users SID History: - Additional Information: Privileges: -
Security  Audit Success  13826  2020-03-18 10:14:30    Microsoft-Windows-Security-Auditing  4735: A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-546 Group Name: Guests Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -
Security  Audit Success  13826  2020-03-18 10:14:30    Microsoft-Windows-Security-Auditing  4735: A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-546 Group Name: Guests Group Domain: Builtin Changed Attributes: SAM Account Name: Guests SID History: - Additional Information: Privileges: -
Security  Audit Success  13826  2020-03-18 10:14:30    Microsoft-Windows-Security-Auditing  4735: A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-558 Group Name: Performance Monitor Users Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -
Security  Audit Success  13826  2020-03-18 10:14:30    Microsoft-Windows-Security-Auditing  4735: A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-558 Group Name: Performance Monitor Users Group Domain: Builtin Changed Attributes: SAM Account Name: Performance Monitor Users SID History: - Additional Information: Privileges: -
Security  Audit Success  13826  2020-03-18 10:14:30    Microsoft-Windows-Security-Auditing  4735: A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-559 Group Name: Performance Log Users Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -
Security  Audit Success  13826  2020-03-18 10:14:30    Microsoft-Windows-Security-Auditing  4735: A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-559 Group Name: Performance Log Users Group Domain: Builtin Changed Attributes: SAM Account Name: Performance Log Users SID History: - Additional Information: Privileges: -
Security  Audit Success  13826  2020-03-18 10:14:30    Microsoft-Windows-Security-Auditing  4735: A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-562 Group Name: Distributed COM Users Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -
Security  Audit Success  13826  2020-03-18 10:14:30    Microsoft-Windows-Security-Auditing  4735: A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-562 Group Name: Distributed COM Users Group Domain: Builtin Changed Attributes: SAM Account Name: Distributed COM Users SID History: - Additional Information: Privileges: -
Security  Audit Success  13826  2020-03-18 10:14:30    Microsoft-Windows-Security-Auditing  4735: A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-568 Group Name: IIS_IUSRS Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -
Security  Audit Success  13826  2020-03-18 10:14:30    Microsoft-Windows-Security-Auditing  4735: A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-568 Group Name: IIS_IUSRS Group Domain: Builtin Changed Attributes: SAM Account Name: IIS_IUSRS SID History: - Additional Information: Privileges: -
Security  Audit Success  13826  2020-03-18 10:14:30    Microsoft-Windows-Security-Auditing  4735: A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-573 Group Name: Event Log Readers Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -
Security  Audit Success  13826  2020-03-18 10:14:30    Microsoft-Windows-Security-Auditing  4735: A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-573 Group Name: Event Log Readers Group Domain: Builtin Changed Attributes: SAM Account Name: Event Log Readers SID History: - Additional Information: Privileges: -
Security  Audit Success  13826  2020-03-18 10:14:30    Microsoft-Windows-Security-Auditing  4735: A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-580 Group Name: Remote Management Users Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -
Security  Audit Success  13826  2020-03-18 10:14:30    Microsoft-Windows-Security-Auditing  4735: A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-580 Group Name: Remote Management Users Group Domain: Builtin Changed Attributes: SAM Account Name: Remote Management Users SID History: - Additional Information: Privileges: -
Security  Audit Success  13826  2020-03-18 10:14:30    Microsoft-Windows-Security-Auditing  4735: A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-581 Group Name: System Managed Accounts Group Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -
Security  Audit Success  13826  2020-03-18 10:14:30    Microsoft-Windows-Security-Auditing  4735: A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-581 Group Name: System Managed Accounts Group Group Domain: Builtin Changed Attributes: SAM Account Name: System Managed Accounts Group SID History: - Additional Information: Privileges: -
Security  Audit Success  13826  2020-03-18 10:14:30    Microsoft-Windows-Security-Auditing  4735: A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-583 Group Name: Device Owners Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -
Security  Audit Success  13826  2020-03-18 10:14:30    Microsoft-Windows-Security-Auditing  4735: A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-583 Group Name: Device Owners Group Domain: Builtin Changed Attributes: SAM Account Name: Device Owners SID History: - Additional Information: Privileges: -
Security  Audit Success  13826  2020-03-18 10:14:30    Microsoft-Windows-Security-Auditing  4737: A security-enabled global group was changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-21-4230960370-218822903-690480705-513 Group Name: None Group Domain: DESKTOP-UT5JEJD Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -
Security  Audit Success  13826  2020-03-18 10:14:30    Microsoft-Windows-Security-Auditing  4737: A security-enabled global group was changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-21-4230960370-218822903-690480705-513 Group Name: None Group Domain: DESKTOP-UT5JEJD Changed Attributes: SAM Account Name: None SID History: - Additional Information: Privileges: -
Security  Audit Success  13826  2020-03-18 10:14:30    Microsoft-Windows-Security-Auditing  4733: A member was removed from a security-enabled local group. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Member: Security ID: S-1-5-21-4230960370-218822903-690480705-1000 Account Name: - Group: Security ID: S-1-5-32-545 Group Name: Users Group Domain: Builtin Additional Information: Privileges: -
Security  Audit Success  13826  2020-03-18 10:14:30    Microsoft-Windows-Security-Auditing  4729: A member was removed from a security-enabled global group. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Member: Security ID: S-1-5-21-4230960370-218822903-690480705-1000 Account Name: - Group: Security ID: S-1-5-21-4230960370-218822903-690480705-513 Group Name: None Group Domain: DESKTOP-UT5JEJD Additional Information: Privileges: -
Security  Audit Success  13826  2020-03-18 10:14:30    Microsoft-Windows-Security-Auditing  4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0xc98 Process Name: C:\Windows\System32\svchost.exe
Security  Audit Success  13826  2020-03-18 10:14:30    Microsoft-Windows-Security-Auditing  4728: A member was added to a security-enabled global group. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Member: Security ID: S-1-5-21-4230960370-218822903-690480705-1001 Account Name: - Group: Security ID: S-1-5-21-4230960370-218822903-690480705-513 Group Name: None Group Domain: DESKTOP-UT5JEJD Additional Information: Privileges: - Expiration time: (null)
Security  Audit Success  13826  2020-03-18 10:14:30    Microsoft-Windows-Security-Auditing  4732: A member was added to a security-enabled local group. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Member: Security ID: S-1-5-21-4230960370-218822903-690480705-1001 Account Name: - Group: Security ID: S-1-5-32-545 Group Name: Users Group Domain: Builtin Additional Information: Privileges: - Expiration time: (null)
Security  Audit Success  13826  2020-03-18 10:14:30    Microsoft-Windows-Security-Auditing  4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x660 Process Name: C:\Windows\System32\oobe\msoobe.exe
Security  Audit Success  13826  2020-03-18 10:14:30    Microsoft-Windows-Security-Auditing  4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x660 Process Name: C:\Windows\System32\oobe\msoobe.exe
Security  Audit Success  13826  2020-03-18 10:14:30    Microsoft-Windows-Security-Auditing  4732: A member was added to a security-enabled local group. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Member: Security ID: S-1-5-21-4230960370-218822903-690480705-1001 Account Name: - Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Additional Information: Privileges: - Expiration time: (null)
Security  Audit Success  13826  2020-03-18 10:14:30    Microsoft-Windows-Security-Auditing  4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x660 Process Name: C:\Windows\System32\oobe\msoobe.exe
Security  Audit Success  13826  2020-03-18 10:14:30    Microsoft-Windows-Security-Auditing  4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x660 Process Name: C:\Windows\System32\oobe\msoobe.exe
Security  Audit Success  13826  2020-03-18 10:14:30    Microsoft-Windows-Security-Auditing  4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0xc98 Process Name: C:\Windows\System32\svchost.exe
Security  Audit Success  12288  2020-03-18 10:15:48    Microsoft-Windows-Security-Auditing  4616: The system time was changed. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Process Information: Process ID: 0x8b8 Name: C:\Windows\System32\svchost.exe Previous Time: 2020-03-18T02:16:26.116786800Z New Time: 2020-03-18T02:15:48.643618300Z This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer.
Security  Audit Success  12288  2020-03-18 10:15:48    Microsoft-Windows-Security-Auditing  4616: The system time was changed. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Process Information: Process ID: 0x8b8 Name: C:\Windows\System32\svchost.exe Previous Time: 2020-03-18T02:15:48.644818300Z New Time: 2020-03-18T02:15:48.644860100Z This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer.
Security  Audit Success  12288  2020-03-18 10:15:50    Microsoft-Windows-Security-Auditing  4616: The system time was changed. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Process Information: Process ID: 0x8b8 Name: C:\Windows\System32\svchost.exe Previous Time: 2020-03-18T02:15:50.949161700Z New Time: 2020-03-18T02:15:50.949418800Z This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer.
Security  Audit Success  12544  2020-03-18 10:15:50    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x32c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 10:15:50    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  103  2020-03-18 10:15:51    Microsoft-Windows-Eventlog  1100: The event logging service has shut down.
Security  Audit Success  13824  2020-03-18 10:15:56    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:15:56    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:15:56    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13312  2020-03-18 10:16:04    Microsoft-Windows-Security-Auditing  4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x78 New Process Name: ????-??6?4????0--?0??????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x4 Creator Process Name: ??????? Process Command Line: ????0--?0??????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
Security  Audit Success  13312  2020-03-18 10:16:04    Microsoft-Windows-Security-Auditing  4696: A primary token was assigned to process. Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Process Information: Process ID: 0x4 Process Name: ? Target Process: Target Process ID: 0x78 Target Process Name: Registry New Token Information: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x3e7
Security  Audit Success  13312  2020-03-18 10:16:04    Microsoft-Windows-Security-Auditing  4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1a4 New Process Name: ??????????????-??6?4????0--?0??????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x4 Creator Process Name: ??????? Process Command Line: ????0--?0??????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
Security  Audit Success  13312  2020-03-18 10:16:04    Microsoft-Windows-Security-Auditing  4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1c0 New Process Name: ???????????????e??? ????????? ???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1a4 Creator Process Name: ????????????????????4 Process Command Line: ????0--?0????????????????????4 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
Security  Audit Success  13573  2020-03-18 10:16:04    Microsoft-Windows-Security-Auditing  4826: Boot Configuration Data loaded. Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 General Settings: Load Options: - Advanced Options: %%1843 Configuration Access Policy: %%1846 System Event Logging: %%1843 Kernel Debugging: %%1843 VSM Launch Type: %%1848 Signature Settings: Test Signing: %%1843 Flight Signing: %%1843 Disable Integrity Checks: %%1843 HyperVisor Settings: HyperVisor Load Options: - HyperVisor Launch Type: %%1848 HyperVisor Debugging: %%1843
Security  Audit Success  13312  2020-03-18 10:16:05    Microsoft-Windows-Security-Auditing  4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x240 New Process Name: ??????????????-??6??4????0--?0????????????????????4? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1a4 Creator Process Name: ????????????????????4? Process Command Line: ????0--?0????????????????????4? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
Security  Audit Success  13312  2020-03-18 10:16:11    Microsoft-Windows-Security-Auditing  4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x280 New Process Name: ??????????????e??? ????????? ???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x240 Creator Process Name: ????????????????????4 Process Command Line: ????0--?0????????????????????4 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
Security  Audit Success  12288  2020-03-18 10:16:12    Microsoft-Windows-Security-Auditing  4608: Windows is starting up. This event is logged when LSASS.EXE starts and the auditing subsystem is initialized.
Security  Audit Success  12544  2020-03-18 10:16:12    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 0 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: - New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4 Process Name: ? Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: - Authentication Package: - Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:16:12    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:16:12    Microsoft-Windows-Security-Auditing  4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: UMFD-0 Account Domain: Font Driver Host Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x2d8 Process Name: C:\Windows\System32\wininit.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
Security  Audit Success  12544  2020-03-18 10:16:12    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1842 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-96-0-0 Account Name: UMFD-0 Account Domain: Font Driver Host Logon ID: 0x10133 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2d8 Process Name: C:\Windows\System32\wininit.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:16:12    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:16:12    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:16:12    Microsoft-Windows-Security-Auditing  4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: UMFD-1 Account Domain: Font Driver Host Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x37c Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
Security  Audit Success  12544  2020-03-18 10:16:12    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1842 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-96-0-1 Account Name: UMFD-1 Account Domain: Font Driver Host Logon ID: 0x10647 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x37c Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:16:12    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:16:12    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:16:12    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:16:12    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:16:12    Microsoft-Windows-Security-Auditing  4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DWM-1 Account Domain: Window Manager Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x37c Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
Security  Audit Success  12544  2020-03-18 10:16:12    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1842 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x17c7a Linked Logon ID: 0x17c91 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x37c Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:16:12    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1842 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x17c91 Linked Logon ID: 0x17c7a Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x37c Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 10:16:12    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:16:12    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:16:12    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:16:12    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e4 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:16:12    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:16:12    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:16:12    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:16:12    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x17c7a Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:16:12    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x17c91 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege
Security  Audit Success  13312  2020-03-18 10:16:12    Microsoft-Windows-Security-Auditing  4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2d0 New Process Name: ??????????????-??6??4????0--?0????????????????????4? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1a4 Creator Process Name: ????????????????????4? Process Command Line: ????0--?0????????????????????4? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
Security  Audit Success  13312  2020-03-18 10:16:12    Microsoft-Windows-Security-Auditing  4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2d8 New Process Name: ???????????????e??? ????????? ???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x240 Creator Process Name: ????????????????????4 Process Command Line: ????0--?0????????????????????4 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
Security  Audit Success  13312  2020-03-18 10:16:12    Microsoft-Windows-Security-Auditing  4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2e8 New Process Name: ??????????????e??? ????????? ???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x2d0 Creator Process Name: ????????????????????4 Process Command Line: ????0--?0????????????????????4 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
Security  Audit Success  13312  2020-03-18 10:16:12    Microsoft-Windows-Security-Auditing  4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x320 New Process Name: ????????????????-??6??8????0--?0???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x2d8 Creator Process Name: ???????????????e?????? Process Command Line: ????0--?0???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
Security  Audit Success  13312  2020-03-18 10:16:12    Microsoft-Windows-Security-Auditing  4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x340 New Process Name: ??????????????e??? ????????? ???????????????????????4? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x2d8 Creator Process Name: ???????????????e?????? Process Command Line: ????0--?0???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
Security  Audit Success  13568  2020-03-18 10:16:12    Microsoft-Windows-Security-Auditing  4902: The Per-user audit policy table was created. Number of Elements: 0 Policy ID: 0xff08
Security  Audit Success  12292  2020-03-18 10:16:16    Microsoft-Windows-Security-Auditing  5033: The Windows Firewall Driver started successfully.
Security  Audit Success  12544  2020-03-18 10:16:16    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:16:16    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:16:16    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:16:16    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:16:16    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:16:16    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:16:16    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:16:16    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:16:16    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:16:16    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:16:16    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:16:16    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:16:16    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:16:16    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:16:16    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:16:16    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:16:16    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:16:16    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:16:16    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:16:16    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:16:16    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:16:16    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:16:16    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:16:16    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:16:16    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 10:16:16    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:16:16    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:16:16    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:16:16    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:16:16    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:16:16    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:16:16    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:16:16    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:16:16    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:16:16    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:16:16    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:16:16    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:16:16    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:16:16    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:16:16    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:16:16    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:16:16    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:16:16    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:16:16    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:16:16    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:16:16    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:16:16    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:16:16    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:16:16    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:16:16    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  13824  2020-03-18 10:16:16    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:16:16    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:16:16    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13826  2020-03-18 10:16:16    Microsoft-Windows-Security-Auditing  4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-20 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e4 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0xf3c Process Name: C:\Windows\System32\svchost.exe
Security  Audit Success  12292  2020-03-18 10:16:17    Microsoft-Windows-Security-Auditing  5024: The Windows Firewall service started successfully.
Security  Audit Success  13826  2020-03-18 10:16:17    Microsoft-Windows-Security-Auditing  4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0xf84 Process Name: C:\Windows\System32\svchost.exe
Security  Audit Success  13824  2020-03-18 10:16:27    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:16:27    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:16:27    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  12544  2020-03-18 10:16:34    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 10:16:34    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  13824  2020-03-18 10:16:35    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:16:35    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8099 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:16:35    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:16:35    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:16:35    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:16:35    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:16:35    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:16:35    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:16:35    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:16:35    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:16:39    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:16:39    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:16:39    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:16:39    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:16:43    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:16:43    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Read Operation: %%8099 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:16:43    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:16:43    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:16:43    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:16:43    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:16:43    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:16:53    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:16:53    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:16:53    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:16:53    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Failure  12290  2020-03-18 10:17:02    Microsoft-Windows-Security-Auditing  5061: Cryptographic operation. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1001 Account Name: defaultuser0 Account Domain: DESKTOP-UT5JEJD Logon ID: 0x6d00b Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: Microsoft Connected Devices Platform device certificate Key Type: %%2500 Cryptographic Operation: Operation: %%2480 Return Code: 0x80090016
Security  Audit Failure  12290  2020-03-18 10:17:02    Microsoft-Windows-Security-Auditing  5061: Cryptographic operation. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1001 Account Name: defaultuser0 Account Domain: DESKTOP-UT5JEJD Logon ID: 0x6d00b Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: Microsoft Connected Devices Platform device certificate Key Type: %%2500 Cryptographic Operation: Operation: %%2480 Return Code: 0x80090016
Security  Audit Failure  12290  2020-03-18 10:17:02    Microsoft-Windows-Security-Auditing  5061: Cryptographic operation. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1001 Account Name: defaultuser0 Account Domain: DESKTOP-UT5JEJD Logon ID: 0x6d00b Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: Microsoft Connected Devices Platform device certificate Key Type: %%2500 Cryptographic Operation: Operation: %%2480 Return Code: 0x80090016
Security  Audit Success  12290  2020-03-18 10:17:02    Microsoft-Windows-Security-Auditing  5061: Cryptographic operation. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1001 Account Name: defaultuser0 Account Domain: DESKTOP-UT5JEJD Logon ID: 0x6d00b Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: %%2500 Cryptographic Operation: Operation: %%2481 Return Code: 0x0
Security  Audit Success  12290  2020-03-18 10:17:02    Microsoft-Windows-Security-Auditing  5061: Cryptographic operation. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1001 Account Name: defaultuser0 Account Domain: DESKTOP-UT5JEJD Logon ID: 0x6d00b Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: %%2500 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
Security  Audit Success  12290  2020-03-18 10:17:02    Microsoft-Windows-Security-Auditing  5061: Cryptographic operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: %%2500 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
Security  Audit Success  12292  2020-03-18 10:17:02    Microsoft-Windows-Security-Auditing  5058: Key file operation. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1001 Account Name: defaultuser0 Account Domain: DESKTOP-UT5JEJD Logon ID: 0x6d00b Process Information: Process ID: 2156 Process Creation Time: 2020-03-18T02:17:02.538460100Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: %%2500 Key File Operation Information: File Path: C:\Users\defaultuser0\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_7fbcc963-8e43-4455-80cd-825694131a80 Operation: %%2459 Return Code: 0x0
Security  Audit Success  12292  2020-03-18 10:17:02    Microsoft-Windows-Security-Auditing  5058: Key file operation. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1001 Account Name: defaultuser0 Account Domain: DESKTOP-UT5JEJD Logon ID: 0x6d00b Process Information: Process ID: 2156 Process Creation Time: 2020-03-18T02:17:02.538460100Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: Microsoft Connected Devices Platform device certificate Key Type: %%2500 Key File Operation Information: File Path: C:\Users\defaultuser0\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_7fbcc963-8e43-4455-80cd-825694131a80 Operation: %%2458 Return Code: 0x0
Security  Audit Success  12292  2020-03-18 10:17:02    Microsoft-Windows-Security-Auditing  5059: Key migration operation. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1001 Account Name: defaultuser0 Account Domain: DESKTOP-UT5JEJD Logon ID: 0x6d00b Process Information: Process ID: 2156 Process Creation Time: 2020-03-18T02:17:02.538460100Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: %%2500 Additional Information: Operation: %%2464 Return Code: 0x0
Security  Audit Success  12292  2020-03-18 10:17:02    Microsoft-Windows-Security-Auditing  5059: Key migration operation. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1001 Account Name: defaultuser0 Account Domain: DESKTOP-UT5JEJD Logon ID: 0x6d00b Process Information: Process ID: 2156 Process Creation Time: 2020-03-18T02:17:02.538460100Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: %%2500 Additional Information: Operation: %%2464 Return Code: 0x0
Security  Audit Success  12292  2020-03-18 10:17:02    Microsoft-Windows-Security-Auditing  5059: Key migration operation. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1001 Account Name: defaultuser0 Account Domain: DESKTOP-UT5JEJD Logon ID: 0x6d00b Process Information: Process ID: 2156 Process Creation Time: 2020-03-18T02:17:02.538460100Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: %%2500 Additional Information: Operation: %%2464 Return Code: 0x0
Security  Audit Success  12292  2020-03-18 10:17:02    Microsoft-Windows-Security-Auditing  5058: Key file operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Process Information: Process ID: 5828 Process Creation Time: 2020-03-18T02:17:02.664745300Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: Microsoft Connected Devices Platform device certificate Key Type: %%2500 Key File Operation Information: File Path: C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_7fbcc963-8e43-4455-80cd-825694131a80 Operation: %%2458 Return Code: 0x0
Security  Audit Success  12292  2020-03-18 10:17:02    Microsoft-Windows-Security-Auditing  5059: Key migration operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Process Information: Process ID: 5828 Process Creation Time: 2020-03-18T02:17:02.664745300Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: %%2500 Additional Information: Operation: %%2464 Return Code: 0x0
Security  Audit Success  12544  2020-03-18 10:17:02    Microsoft-Windows-Security-Auditing  4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: defaultuser0 Account Domain: DESKTOP-UT5JEJD Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xbf4 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: 127.0.0.1 Port: 0 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
Security  Audit Success  12544  2020-03-18 10:17:02    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-4230960370-218822903-690480705-1001 Account Name: defaultuser0 Account Domain: DESKTOP-UT5JEJD Logon ID: 0x6cfc9 Linked Logon ID: 0x6d00b Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xbf4 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: DESKTOP-UT5JEJD Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:17:02    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-4230960370-218822903-690480705-1001 Account Name: defaultuser0 Account Domain: DESKTOP-UT5JEJD Logon ID: 0x6d00b Linked Logon ID: 0x6cfc9 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xbf4 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: DESKTOP-UT5JEJD Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:17:02    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 10:17:02    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1001 Account Name: defaultuser0 Account Domain: DESKTOP-UT5JEJD Logon ID: 0x6cfc9 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:17:02    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  13824  2020-03-18 10:17:02    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1001 Account Name: defaultuser0 Account Domain: DESKTOP-UT5JEJD Logon ID: 0x6d00b Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:17:02    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1001 Account Name: defaultuser0 Account Domain: DESKTOP-UT5JEJD Logon ID: 0x6d00b Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:17:02    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1001 Account Name: defaultuser0 Account Domain: DESKTOP-UT5JEJD Logon ID: 0x6d00b Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:17:02    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1001 Account Name: defaultuser0 Account Domain: DESKTOP-UT5JEJD Logon ID: 0x6d00b Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:17:02    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1001 Account Name: defaultuser0 Account Domain: DESKTOP-UT5JEJD Logon ID: 0x6d00b Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:17:02    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:17:02    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:17:02    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13826  2020-03-18 10:17:02    Microsoft-Windows-Security-Auditing  4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\svchost.exe
Security  Audit Success  12544  2020-03-18 10:17:03    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:17:03    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:17:03    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 10:17:03    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:17:03    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:17:03    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  13826  2020-03-18 10:17:03    Microsoft-Windows-Security-Auditing  4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x1974 Process Name: C:\Windows\System32\SearchIndexer.exe
Security  Audit Success  12544  2020-03-18 10:17:04    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 10:17:04    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  13824  2020-03-18 10:17:04    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:17:04    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:17:04    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:17:04    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  12544  2020-03-18 10:17:07    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:17:07    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 10:17:07    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:17:07    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  13824  2020-03-18 10:17:09    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1001 Account Name: defaultuser0 Account Domain: DESKTOP-UT5JEJD Logon ID: 0x6d00b Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:17:10    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1001 Account Name: defaultuser0 Account Domain: DESKTOP-UT5JEJD Logon ID: 0x6d00b Read Operation: %%8099 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:17:10    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1001 Account Name: defaultuser0 Account Domain: DESKTOP-UT5JEJD Logon ID: 0x6d00b Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:17:10    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1001 Account Name: defaultuser0 Account Domain: DESKTOP-UT5JEJD Logon ID: 0x6d00b Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:17:12    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-1001 Account Name: defaultuser0 Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1430 Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe
Security  Audit Success  13824  2020-03-18 10:17:12    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-1001 Account Name: defaultuser0 Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1430 Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe
Security  Audit Success  13824  2020-03-18 10:17:14    Microsoft-Windows-Security-Auditing  4781: The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-32-544 Account Domain: Builtin Old Account Name: Administrators New Account Name: Administrators Additional Information: Privileges: -
Security  Audit Success  13824  2020-03-18 10:17:14    Microsoft-Windows-Security-Auditing  4781: The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-32-545 Account Domain: Builtin Old Account Name: Users New Account Name: Users Additional Information: Privileges: -
Security  Audit Success  13824  2020-03-18 10:17:14    Microsoft-Windows-Security-Auditing  4781: The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-32-546 Account Domain: Builtin Old Account Name: Guests New Account Name: Guests Additional Information: Privileges: -
Security  Audit Success  13824  2020-03-18 10:17:14    Microsoft-Windows-Security-Auditing  4781: The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-32-558 Account Domain: Builtin Old Account Name: Performance Monitor Users New Account Name: Performance Monitor Users Additional Information: Privileges: -
Security  Audit Success  13824  2020-03-18 10:17:14    Microsoft-Windows-Security-Auditing  4781: The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-32-559 Account Domain: Builtin Old Account Name: Performance Log Users New Account Name: Performance Log Users Additional Information: Privileges: -
Security  Audit Success  13824  2020-03-18 10:17:14    Microsoft-Windows-Security-Auditing  4781: The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-32-562 Account Domain: Builtin Old Account Name: Distributed COM Users New Account Name: Distributed COM Users Additional Information: Privileges: -
Security  Audit Success  13824  2020-03-18 10:17:14    Microsoft-Windows-Security-Auditing  4781: The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-32-568 Account Domain: Builtin Old Account Name: IIS_IUSRS New Account Name: IIS_IUSRS Additional Information: Privileges: -
Security  Audit Success  13824  2020-03-18 10:17:14    Microsoft-Windows-Security-Auditing  4781: The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-32-573 Account Domain: Builtin Old Account Name: Event Log Readers New Account Name: Event Log Readers Additional Information: Privileges: -
Security  Audit Success  13824  2020-03-18 10:17:14    Microsoft-Windows-Security-Auditing  4781: The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-32-580 Account Domain: Builtin Old Account Name: Remote Management Users New Account Name: Remote Management Users Additional Information: Privileges: -
Security  Audit Success  13824  2020-03-18 10:17:14    Microsoft-Windows-Security-Auditing  4781: The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-32-581 Account Domain: Builtin Old Account Name: System Managed Accounts Group New Account Name: System Managed Accounts Group Additional Information: Privileges: -
Security  Audit Success  13824  2020-03-18 10:17:14    Microsoft-Windows-Security-Auditing  4781: The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-32-583 Account Domain: Builtin Old Account Name: Device Owners New Account Name: Device Owners Additional Information: Privileges: -
Security  Audit Success  13824  2020-03-18 10:17:14    Microsoft-Windows-Security-Auditing  4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-4230960370-218822903-690480705-500 Account Name: Administrator Account Domain: DESKTOP-UT5JEJD Changed Attributes: SAM Account Name: Administrator Display Name: %%1793 User Principal Name: - Home Directory: %%1793 Home Drive: %%1793 Script Path: %%1793 Profile Path: %%1793 User Workstations: %%1793 Password Last Set: %%1794 Account Expires: %%1794 Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x211 New UAC Value: 0x211 User Account Control: - User Parameters: %%1793 SID History: - Logon Hours: %%1797 Additional Information: Privileges: -
Security  Audit Success  13824  2020-03-18 10:17:14    Microsoft-Windows-Security-Auditing  4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-4230960370-218822903-690480705-500 Account Name: Administrator Account Domain: DESKTOP-UT5JEJD Changed Attributes: SAM Account Name: Administrator Display Name: %%1793 User Principal Name: - Home Directory: %%1793 Home Drive: %%1793 Script Path: %%1793 Profile Path: %%1793 User Workstations: %%1793 Password Last Set: %%1794 Account Expires: %%1794 Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x211 New UAC Value: 0x211 User Account Control: - User Parameters: %%1793 SID History: - Logon Hours: %%1797 Additional Information: Privileges: -
Security  Audit Success  13824  2020-03-18 10:17:14    Microsoft-Windows-Security-Auditing  4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Changed Attributes: SAM Account Name: Guest Display Name: %%1793 User Principal Name: - Home Directory: %%1793 Home Drive: %%1793 Script Path: %%1793 Profile Path: %%1793 User Workstations: %%1793 Password Last Set: %%1794 Account Expires: %%1794 Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x215 New UAC Value: 0x215 User Account Control: - User Parameters: %%1793 SID History: - Logon Hours: %%1797 Additional Information: Privileges: -
Security  Audit Success  13824  2020-03-18 10:17:14    Microsoft-Windows-Security-Auditing  4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Changed Attributes: SAM Account Name: Guest Display Name: %%1793 User Principal Name: - Home Directory: %%1793 Home Drive: %%1793 Script Path: %%1793 Profile Path: %%1793 User Workstations: %%1793 Password Last Set: %%1794 Account Expires: %%1794 Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x215 New UAC Value: 0x215 User Account Control: - User Parameters: %%1793 SID History: - Logon Hours: %%1797 Additional Information: Privileges: -
Security  Audit Success  13824  2020-03-18 10:17:14    Microsoft-Windows-Security-Auditing  4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-4230960370-218822903-690480705-503 Account Name: DefaultAccount Account Domain: DESKTOP-UT5JEJD Changed Attributes: SAM Account Name: DefaultAccount Display Name: %%1793 User Principal Name: - Home Directory: %%1793 Home Drive: %%1793 Script Path: %%1793 Profile Path: %%1793 User Workstations: %%1793 Password Last Set: %%1794 Account Expires: %%1794 Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x215 New UAC Value: 0x215 User Account Control: - User Parameters: %%1793 SID History: - Logon Hours: %%1797 Additional Information: Privileges: -
Security  Audit Success  13824  2020-03-18 10:17:14    Microsoft-Windows-Security-Auditing  4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-4230960370-218822903-690480705-503 Account Name: DefaultAccount Account Domain: DESKTOP-UT5JEJD Changed Attributes: SAM Account Name: DefaultAccount Display Name: %%1793 User Principal Name: - Home Directory: %%1793 Home Drive: %%1793 Script Path: %%1793 Profile Path: %%1793 User Workstations: %%1793 Password Last Set: %%1794 Account Expires: %%1794 Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x215 New UAC Value: 0x215 User Account Control: - User Parameters: %%1793 SID History: - Logon Hours: %%1797 Additional Information: Privileges: -
Security  Audit Success  13824  2020-03-18 10:17:14    Microsoft-Windows-Security-Auditing  4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-4230960370-218822903-690480705-504 Account Name: WDAGUtilityAccount Account Domain: DESKTOP-UT5JEJD Changed Attributes: SAM Account Name: WDAGUtilityAccount Display Name: %%1793 User Principal Name: - Home Directory: %%1793 Home Drive: %%1793 Script Path: %%1793 Profile Path: %%1793 User Workstations: %%1793 Password Last Set: 27/12/2019 12:35:46 am Account Expires: %%1794 Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x11 New UAC Value: 0x11 User Account Control: - User Parameters: %%1793 SID History: - Logon Hours: %%1797 Additional Information: Privileges: -
Security  Audit Success  13824  2020-03-18 10:17:14    Microsoft-Windows-Security-Auditing  4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-4230960370-218822903-690480705-504 Account Name: WDAGUtilityAccount Account Domain: DESKTOP-UT5JEJD Changed Attributes: SAM Account Name: WDAGUtilityAccount Display Name: %%1793 User Principal Name: - Home Directory: %%1793 Home Drive: %%1793 Script Path: %%1793 Profile Path: %%1793 User Workstations: %%1793 Password Last Set: 27/12/2019 12:35:46 am Account Expires: %%1794 Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x11 New UAC Value: 0x11 User Account Control: - User Parameters: %%1793 SID History: - Logon Hours: %%1797 Additional Information: Privileges: -
Security  Audit Success  13824  2020-03-18 10:17:14    Microsoft-Windows-Security-Auditing  4781: The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-4230960370-218822903-690480705-513 Account Domain: DESKTOP-UT5JEJD Old Account Name: None New Account Name: None Additional Information: Privileges: -
Security  Audit Success  13824  2020-03-18 10:17:14    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:17:14    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:17:14    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13826  2020-03-18 10:17:14    Microsoft-Windows-Security-Auditing  4735: A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -
Security  Audit Success  13826  2020-03-18 10:17:14    Microsoft-Windows-Security-Auditing  4735: A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Changed Attributes: SAM Account Name: Administrators SID History: - Additional Information: Privileges: -
Security  Audit Success  13826  2020-03-18 10:17:14    Microsoft-Windows-Security-Auditing  4735: A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-545 Group Name: Users Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -
Security  Audit Success  13826  2020-03-18 10:17:14    Microsoft-Windows-Security-Auditing  4735: A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-545 Group Name: Users Group Domain: Builtin Changed Attributes: SAM Account Name: Users SID History: - Additional Information: Privileges: -
Security  Audit Success  13826  2020-03-18 10:17:14    Microsoft-Windows-Security-Auditing  4735: A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-546 Group Name: Guests Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -
Security  Audit Success  13826  2020-03-18 10:17:14    Microsoft-Windows-Security-Auditing  4735: A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-546 Group Name: Guests Group Domain: Builtin Changed Attributes: SAM Account Name: Guests SID History: - Additional Information: Privileges: -
Security  Audit Success  13826  2020-03-18 10:17:14    Microsoft-Windows-Security-Auditing  4735: A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-558 Group Name: Performance Monitor Users Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -
Security  Audit Success  13826  2020-03-18 10:17:14    Microsoft-Windows-Security-Auditing  4735: A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-558 Group Name: Performance Monitor Users Group Domain: Builtin Changed Attributes: SAM Account Name: Performance Monitor Users SID History: - Additional Information: Privileges: -
Security  Audit Success  13826  2020-03-18 10:17:14    Microsoft-Windows-Security-Auditing  4735: A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-559 Group Name: Performance Log Users Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -
Security  Audit Success  13826  2020-03-18 10:17:14    Microsoft-Windows-Security-Auditing  4735: A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-559 Group Name: Performance Log Users Group Domain: Builtin Changed Attributes: SAM Account Name: Performance Log Users SID History: - Additional Information: Privileges: -
Security  Audit Success  13826  2020-03-18 10:17:14    Microsoft-Windows-Security-Auditing  4735: A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-562 Group Name: Distributed COM Users Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -
Security  Audit Success  13826  2020-03-18 10:17:14    Microsoft-Windows-Security-Auditing  4735: A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-562 Group Name: Distributed COM Users Group Domain: Builtin Changed Attributes: SAM Account Name: Distributed COM Users SID History: - Additional Information: Privileges: -
Security  Audit Success  13826  2020-03-18 10:17:14    Microsoft-Windows-Security-Auditing  4735: A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-568 Group Name: IIS_IUSRS Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -
Security  Audit Success  13826  2020-03-18 10:17:14    Microsoft-Windows-Security-Auditing  4735: A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-568 Group Name: IIS_IUSRS Group Domain: Builtin Changed Attributes: SAM Account Name: IIS_IUSRS SID History: - Additional Information: Privileges: -
Security  Audit Success  13826  2020-03-18 10:17:14    Microsoft-Windows-Security-Auditing  4735: A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-573 Group Name: Event Log Readers Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -
Security  Audit Success  13826  2020-03-18 10:17:14    Microsoft-Windows-Security-Auditing  4735: A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-573 Group Name: Event Log Readers Group Domain: Builtin Changed Attributes: SAM Account Name: Event Log Readers SID History: - Additional Information: Privileges: -
Security  Audit Success  13826  2020-03-18 10:17:14    Microsoft-Windows-Security-Auditing  4735: A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-580 Group Name: Remote Management Users Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -
Security  Audit Success  13826  2020-03-18 10:17:14    Microsoft-Windows-Security-Auditing  4735: A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-580 Group Name: Remote Management Users Group Domain: Builtin Changed Attributes: SAM Account Name: Remote Management Users SID History: - Additional Information: Privileges: -
Security  Audit Success  13826  2020-03-18 10:17:14    Microsoft-Windows-Security-Auditing  4735: A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-581 Group Name: System Managed Accounts Group Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -
Security  Audit Success  13826  2020-03-18 10:17:14    Microsoft-Windows-Security-Auditing  4735: A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-581 Group Name: System Managed Accounts Group Group Domain: Builtin Changed Attributes: SAM Account Name: System Managed Accounts Group SID History: - Additional Information: Privileges: -
Security  Audit Success  13826  2020-03-18 10:17:14    Microsoft-Windows-Security-Auditing  4735: A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-583 Group Name: Device Owners Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -
Security  Audit Success  13826  2020-03-18 10:17:14    Microsoft-Windows-Security-Auditing  4735: A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-583 Group Name: Device Owners Group Domain: Builtin Changed Attributes: SAM Account Name: Device Owners SID History: - Additional Information: Privileges: -
Security  Audit Success  13826  2020-03-18 10:17:14    Microsoft-Windows-Security-Auditing  4737: A security-enabled global group was changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-21-4230960370-218822903-690480705-513 Group Name: None Group Domain: DESKTOP-UT5JEJD Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -
Security  Audit Success  13826  2020-03-18 10:17:14    Microsoft-Windows-Security-Auditing  4737: A security-enabled global group was changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-21-4230960370-218822903-690480705-513 Group Name: None Group Domain: DESKTOP-UT5JEJD Changed Attributes: SAM Account Name: None SID History: - Additional Information: Privileges: -
Security  Audit Success  13824  2020-03-18 10:17:18    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:17:18    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:17:18    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:17:18    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:17:28    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1001 Account Name: defaultuser0 Account Domain: DESKTOP-UT5JEJD Logon ID: 0x6d00b Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:17:28    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1001 Account Name: defaultuser0 Account Domain: DESKTOP-UT5JEJD Logon ID: 0x6d00b Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:17:28    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1001 Account Name: defaultuser0 Account Domain: DESKTOP-UT5JEJD Logon ID: 0x6d00b Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:17:30    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1001 Account Name: defaultuser0 Account Domain: DESKTOP-UT5JEJD Logon ID: 0x6d00b Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:17:30    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1001 Account Name: defaultuser0 Account Domain: DESKTOP-UT5JEJD Logon ID: 0x6d00b Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:17:30    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1001 Account Name: defaultuser0 Account Domain: DESKTOP-UT5JEJD Logon ID: 0x6d00b Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:17:30    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1001 Account Name: defaultuser0 Account Domain: DESKTOP-UT5JEJD Logon ID: 0x6d00b Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  12544  2020-03-18 10:17:32    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 10:17:32    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12544  2020-03-18 10:17:39    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 10:17:39    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12544  2020-03-18 10:18:02    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 10:18:02    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12544  2020-03-18 10:18:05    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 10:18:05    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  13826  2020-03-18 10:18:06    Microsoft-Windows-Security-Auditing  4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x1c04 Process Name: C:\Windows\System32\svchost.exe
Security  Audit Success  13824  2020-03-18 10:18:43    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1001 Account Name: defaultuser0 Account Domain: DESKTOP-UT5JEJD Logon ID: 0x6d00b Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:18:43    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1001 Account Name: defaultuser0 Account Domain: DESKTOP-UT5JEJD Logon ID: 0x6d00b Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:18:43    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1001 Account Name: defaultuser0 Account Domain: DESKTOP-UT5JEJD Logon ID: 0x6d00b Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  12544  2020-03-18 10:18:48    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 10:18:48    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  13824  2020-03-18 10:18:48    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1001 Account Name: defaultuser0 Account Domain: DESKTOP-UT5JEJD Logon ID: 0x6d00b Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:18:48    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1001 Account Name: defaultuser0 Account Domain: DESKTOP-UT5JEJD Logon ID: 0x6d00b Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:18:48    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1001 Account Name: defaultuser0 Account Domain: DESKTOP-UT5JEJD Logon ID: 0x6d00b Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:18:48    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1001 Account Name: defaultuser0 Account Domain: DESKTOP-UT5JEJD Logon ID: 0x6d00b Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  12545  2020-03-18 10:18:49    Microsoft-Windows-Security-Auditing  4647: User initiated logoff: Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1001 Account Name: defaultuser0 Account Domain: DESKTOP-UT5JEJD Logon ID: 0x6d00b This event is generated when a logoff is initiated. No further user-initiated activity can occur. This event can be interpreted as a logoff event.
Security  Audit Success  13824  2020-03-18 10:18:49    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-500 Account Name: Administrator Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0xbf4 Process Name: C:\Windows\System32\svchost.exe
Security  Audit Success  13824  2020-03-18 10:18:49    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-503 Account Name: DefaultAccount Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0xbf4 Process Name: C:\Windows\System32\svchost.exe
Security  Audit Success  13824  2020-03-18 10:18:49    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-1001 Account Name: defaultuser0 Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0xbf4 Process Name: C:\Windows\System32\svchost.exe
Security  Audit Success  13824  2020-03-18 10:18:49    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0xbf4 Process Name: C:\Windows\System32\svchost.exe
Security  Audit Success  13824  2020-03-18 10:18:49    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-504 Account Name: WDAGUtilityAccount Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0xbf4 Process Name: C:\Windows\System32\svchost.exe
Security  Audit Success  13824  2020-03-18 10:18:51    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:18:51    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:18:51    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  103  2020-03-18 10:18:53    Microsoft-Windows-Eventlog  1100: The event logging service has shut down.
Security  Audit Success  13824  2020-03-18 10:18:53    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:18:53    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:18:53    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:18:53    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13312  2020-03-18 10:19:07    Microsoft-Windows-Security-Auditing  4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x78 New Process Name: ????-??6?4????0--?0??????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x4 Creator Process Name: ??????? Process Command Line: ????0--?0??????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
Security  Audit Success  13312  2020-03-18 10:19:07    Microsoft-Windows-Security-Auditing  4696: A primary token was assigned to process. Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Process Information: Process ID: 0x4 Process Name: ? Target Process: Target Process ID: 0x78 Target Process Name: Registry New Token Information: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x3e7
Security  Audit Success  13312  2020-03-18 10:19:07    Microsoft-Windows-Security-Auditing  4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1a4 New Process Name: ??????????????-??6?4????0--?0??????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x4 Creator Process Name: ??????? Process Command Line: ????0--?0??????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
Security  Audit Success  13312  2020-03-18 10:19:07    Microsoft-Windows-Security-Auditing  4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1c4 New Process Name: ???????????????e??? ????????? ???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1a4 Creator Process Name: ????????????????????4 Process Command Line: ????0--?0????????????????????4 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
Security  Audit Success  13573  2020-03-18 10:19:07    Microsoft-Windows-Security-Auditing  4826: Boot Configuration Data loaded. Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 General Settings: Load Options: - Advanced Options: %%1843 Configuration Access Policy: %%1846 System Event Logging: %%1843 Kernel Debugging: %%1843 VSM Launch Type: %%1848 Signature Settings: Test Signing: %%1843 Flight Signing: %%1843 Disable Integrity Checks: %%1843 HyperVisor Settings: HyperVisor Load Options: - HyperVisor Launch Type: %%1848 HyperVisor Debugging: %%1843
Security  Audit Success  13312  2020-03-18 10:19:08    Microsoft-Windows-Security-Auditing  4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x248 New Process Name: ??????????????-??6??4????0--?0????????????????????4? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1a4 Creator Process Name: ????????????????????4? Process Command Line: ????0--?0????????????????????4? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
Security  Audit Success  13312  2020-03-18 10:19:14    Microsoft-Windows-Security-Auditing  4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x284 New Process Name: ??????????????e??? ????????? ???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x248 Creator Process Name: ????????????????????4 Process Command Line: ????0--?0????????????????????4 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
Security  Audit Success  12288  2020-03-18 10:19:15    Microsoft-Windows-Security-Auditing  4608: Windows is starting up. This event is logged when LSASS.EXE starts and the auditing subsystem is initialized.
Security  Audit Success  12544  2020-03-18 10:19:15    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 0 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: - New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4 Process Name: ? Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: - Authentication Package: - Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:19:15    Microsoft-Windows-Security-Auditing  4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: UMFD-0 Account Domain: Font Driver Host Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x2e0 Process Name: C:\Windows\System32\wininit.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
Security  Audit Success  12544  2020-03-18 10:19:15    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1842 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-96-0-0 Account Name: UMFD-0 Account Domain: Font Driver Host Logon ID: 0xfc8f Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e0 Process Name: C:\Windows\System32\wininit.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:19:15    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:19:15    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:19:15    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:19:15    Microsoft-Windows-Security-Auditing  4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: UMFD-1 Account Domain: Font Driver Host Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x3dc Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
Security  Audit Success  12544  2020-03-18 10:19:15    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1842 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-96-0-1 Account Name: UMFD-1 Account Domain: Font Driver Host Logon ID: 0x111ec Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x3dc Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:19:15    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:19:15    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:19:15    Microsoft-Windows-Security-Auditing  4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DWM-1 Account Domain: Window Manager Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x3dc Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
Security  Audit Success  12544  2020-03-18 10:19:15    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1842 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x17421 Linked Logon ID: 0x1745b Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x3dc Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:19:15    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1842 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x1745b Linked Logon ID: 0x17421 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x3dc Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:19:15    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:19:15    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:19:15    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:19:15    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:19:15    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:19:15    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:19:15    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:19:15    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:19:15    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:19:15    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:19:15    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:19:15    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:19:15    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 10:19:15    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:19:15    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:19:15    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:19:15    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e4 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:19:15    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:19:15    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x17421 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:19:15    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x1745b Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege
Security  Audit Success  12548  2020-03-18 10:19:15    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:19:15    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:19:15    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:19:15    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:19:15    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:19:15    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:19:15    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:19:15    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:19:15    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:19:15    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:19:15    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:19:15    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:19:15    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  13312  2020-03-18 10:19:15    Microsoft-Windows-Security-Auditing  4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2d8 New Process Name: ??????????????-??6??4????0--?0????????????????????4? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1a4 Creator Process Name: ????????????????????4? Process Command Line: ????0--?0????????????????????4? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
Security  Audit Success  13312  2020-03-18 10:19:15    Microsoft-Windows-Security-Auditing  4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2e0 New Process Name: ???????????????e??? ????????? ???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x248 Creator Process Name: ????????????????????4 Process Command Line: ????0--?0????????????????????4 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
Security  Audit Success  13312  2020-03-18 10:19:15    Microsoft-Windows-Security-Auditing  4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2f0 New Process Name: ??????????????e??? ????????? ???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x2d8 Creator Process Name: ????????????????????4 Process Command Line: ????0--?0????????????????????4 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
Security  Audit Success  13312  2020-03-18 10:19:15    Microsoft-Windows-Security-Auditing  4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x328 New Process Name: ????????????????-??6??0????0--?0???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x2e0 Creator Process Name: ???????????????e?????? Process Command Line: ????0--?0???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
Security  Audit Success  13312  2020-03-18 10:19:15    Microsoft-Windows-Security-Auditing  4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x330 New Process Name: ??????????????e??? ????????? ???????????????????????4? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x2e0 Creator Process Name: ???????????????e?????? Process Command Line: ????0--?0???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
Security  Audit Success  13568  2020-03-18 10:19:15    Microsoft-Windows-Security-Auditing  4902: The Per-user audit policy table was created. Number of Elements: 0 Policy ID: 0xfa7b
Security  Audit Success  12292  2020-03-18 10:19:16    Microsoft-Windows-Security-Auditing  5033: The Windows Firewall Driver started successfully.
Security  Audit Success  12292  2020-03-18 10:19:16    Microsoft-Windows-Security-Auditing  5024: The Windows Firewall service started successfully.
Security  Audit Success  12544  2020-03-18 10:19:16    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:19:16    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:19:16    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:19:16    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:19:16    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:19:16    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:19:16    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:19:16    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:19:16    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:19:16    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:19:16    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:19:16    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 10:19:16    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:19:16    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:19:16    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:19:16    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:19:16    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:19:16    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:19:16    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:19:16    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:19:16    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:19:16    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:19:16    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:19:16    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  13826  2020-03-18 10:19:16    Microsoft-Windows-Security-Auditing  4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-20 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e4 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0xed0 Process Name: C:\Windows\System32\svchost.exe
Security  Audit Success  13826  2020-03-18 10:19:16    Microsoft-Windows-Security-Auditing  4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0xed8 Process Name: C:\Windows\System32\svchost.exe
Security  Audit Success  12290  2020-03-18 10:20:01    Microsoft-Windows-Security-Auditing  5061: Cryptographic operation. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1001 Account Name: defaultuser0 Account Domain: DESKTOP-UT5JEJD Logon ID: 0x6628d Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: %%2500 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
Security  Audit Success  12290  2020-03-18 10:20:01    Microsoft-Windows-Security-Auditing  5061: Cryptographic operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: %%2500 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
Security  Audit Success  12292  2020-03-18 10:20:01    Microsoft-Windows-Security-Auditing  5058: Key file operation. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1001 Account Name: defaultuser0 Account Domain: DESKTOP-UT5JEJD Logon ID: 0x6628d Process Information: Process ID: 6004 Process Creation Time: 2020-03-18T02:20:01.613677000Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: Microsoft Connected Devices Platform device certificate Key Type: %%2500 Key File Operation Information: File Path: C:\Users\defaultuser0\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_7fbcc963-8e43-4455-80cd-825694131a80 Operation: %%2458 Return Code: 0x0
Security  Audit Success  12292  2020-03-18 10:20:01    Microsoft-Windows-Security-Auditing  5059: Key migration operation. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1001 Account Name: defaultuser0 Account Domain: DESKTOP-UT5JEJD Logon ID: 0x6628d Process Information: Process ID: 6004 Process Creation Time: 2020-03-18T02:20:01.613677000Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: %%2500 Additional Information: Operation: %%2464 Return Code: 0x0
Security  Audit Success  12292  2020-03-18 10:20:01    Microsoft-Windows-Security-Auditing  5058: Key file operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Process Information: Process ID: 1888 Process Creation Time: 2020-03-18T02:20:01.741638400Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: Microsoft Connected Devices Platform device certificate Key Type: %%2500 Key File Operation Information: File Path: C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_7fbcc963-8e43-4455-80cd-825694131a80 Operation: %%2458 Return Code: 0x0
Security  Audit Success  12292  2020-03-18 10:20:01    Microsoft-Windows-Security-Auditing  5059: Key migration operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Process Information: Process ID: 1888 Process Creation Time: 2020-03-18T02:20:01.741638400Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: %%2500 Additional Information: Operation: %%2464 Return Code: 0x0
Security  Audit Success  12544  2020-03-18 10:20:01    Microsoft-Windows-Security-Auditing  4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: defaultuser0 Account Domain: DESKTOP-UT5JEJD Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xb20 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: 127.0.0.1 Port: 0 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
Security  Audit Success  12544  2020-03-18 10:20:01    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-4230960370-218822903-690480705-1001 Account Name: defaultuser0 Account Domain: DESKTOP-UT5JEJD Logon ID: 0x66258 Linked Logon ID: 0x6628d Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xb20 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: DESKTOP-UT5JEJD Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:20:01    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-4230960370-218822903-690480705-1001 Account Name: defaultuser0 Account Domain: DESKTOP-UT5JEJD Logon ID: 0x6628d Linked Logon ID: 0x66258 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xb20 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: DESKTOP-UT5JEJD Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:20:01    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 10:20:01    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1001 Account Name: defaultuser0 Account Domain: DESKTOP-UT5JEJD Logon ID: 0x66258 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:20:01    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  13826  2020-03-18 10:20:01    Microsoft-Windows-Security-Auditing  4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x8a4 Process Name: C:\Windows\System32\svchost.exe
Security  Audit Success  13824  2020-03-18 10:20:11    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-1001 Account Name: defaultuser0 Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x13b8 Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe
Security  Audit Success  13824  2020-03-18 10:20:11    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-1001 Account Name: defaultuser0 Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x13b8 Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe
Security  Audit Success  12544  2020-03-18 10:20:32    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 10:20:32    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  13826  2020-03-18 10:20:32    Microsoft-Windows-Security-Auditing  4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0xd2c Process Name: C:\Windows\System32\SearchIndexer.exe
Security  Audit Success  12544  2020-03-18 10:20:53    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:20:53    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:20:53    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 10:20:53    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:20:53    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:20:53    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12544  2020-03-18 10:21:04    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 10:21:04    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12544  2020-03-18 10:21:05    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 10:21:05    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  13826  2020-03-18 10:21:09    Microsoft-Windows-Security-Auditing  4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x19dc Process Name: C:\Windows\System32\svchost.exe
Security  Audit Success  12544  2020-03-18 10:21:58    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 10:21:58    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12544  2020-03-18 10:21:59    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:21:59    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 10:21:59    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:21:59    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12544  2020-03-18 10:22:01    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:22:01    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:22:01    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 10:22:01    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:22:01    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:22:01    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12544  2020-03-18 10:22:02    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 10:22:02    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  13824  2020-03-18 10:22:39    Microsoft-Windows-Security-Auditing  4720: A user account was created. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 New Account: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Attributes: SAM Account Name: redblue Display Name: %%1793 User Principal Name: - Home Directory: %%1793 Home Drive: %%1793 Script Path: %%1793 Profile Path: %%1793 User Workstations: %%1793 Password Last Set: %%1794 Account Expires: %%1794 Primary Group ID: 513 Allowed To Delegate To: - Old UAC Value: 0x0 New UAC Value: 0x15 User Account Control: %%2080 %%2082 %%2084 User Parameters: %%1793 SID History: - Logon Hours: %%1797 Additional Information: Privileges -
Security  Audit Success  13824  2020-03-18 10:22:39    Microsoft-Windows-Security-Auditing  4722: A user account was enabled. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD
Security  Audit Success  13824  2020-03-18 10:22:39    Microsoft-Windows-Security-Auditing  4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Changed Attributes: SAM Account Name: redblue Display Name: %%1793 User Principal Name: - Home Directory: %%1793 Home Drive: %%1793 Script Path: %%1793 Profile Path: %%1793 User Workstations: %%1793 Password Last Set: %%1794 Account Expires: %%1794 Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x15 New UAC Value: 0x14 User Account Control: %%2048 User Parameters: %%1793 SID History: - Logon Hours: %%1797 Additional Information: Privileges: -
Security  Audit Success  13824  2020-03-18 10:22:39    Microsoft-Windows-Security-Auditing  4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Changed Attributes: SAM Account Name: redblue Display Name: %%1793 User Principal Name: - Home Directory: %%1793 Home Drive: %%1793 Script Path: %%1793 Profile Path: %%1793 User Workstations: %%1793 Password Last Set: 3/17/2020 7:22:39 PM Account Expires: %%1794 Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x14 New UAC Value: 0x14 User Account Control: - User Parameters: - SID History: - Logon Hours: %%1797 Additional Information: Privileges: -
Security  Audit Success  13824  2020-03-18 10:22:39    Microsoft-Windows-Security-Auditing  4724: An attempt was made to reset an account's password. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD
Security  Audit Success  13824  2020-03-18 10:22:39    Microsoft-Windows-Security-Auditing  4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Changed Attributes: SAM Account Name: redblue Display Name: %%1793 User Principal Name: - Home Directory: %%1793 Home Drive: %%1793 Script Path: %%1793 Profile Path: %%1793 User Workstations: %%1793 Password Last Set: 3/17/2020 7:22:39 PM Account Expires: %%1794 Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x14 New UAC Value: 0x214 User Account Control: %%2089 User Parameters: - SID History: - Logon Hours: %%1797 Additional Information: Privileges: -
Security  Audit Success  13824  2020-03-18 10:22:39    Microsoft-Windows-Security-Auditing  4724: An attempt was made to reset an account's password. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD
Security  Audit Success  13824  2020-03-18 10:22:39    Microsoft-Windows-Security-Auditing  4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Changed Attributes: SAM Account Name: - Display Name: - User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: - Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account Control: - User Parameters: - SID History: - Logon Hours: - Additional Information: Privileges: -
Security  Audit Success  13826  2020-03-18 10:22:39    Microsoft-Windows-Security-Auditing  4728: A member was added to a security-enabled global group. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Member: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: - Group: Security ID: S-1-5-21-4230960370-218822903-690480705-513 Group Name: None Group Domain: DESKTOP-UT5JEJD Additional Information: Privileges: - Expiration time: (null)
Security  Audit Success  13826  2020-03-18 10:22:39    Microsoft-Windows-Security-Auditing  4732: A member was added to a security-enabled local group. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Member: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: - Group: Security ID: S-1-5-32-545 Group Name: Users Group Domain: Builtin Additional Information: Privileges: - Expiration time: (null)
Security  Audit Success  13826  2020-03-18 10:22:39    Microsoft-Windows-Security-Auditing  4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x758 Process Name: C:\Windows\System32\CloudExperienceHostBroker.exe
Security  Audit Success  13826  2020-03-18 10:22:39    Microsoft-Windows-Security-Auditing  4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x758 Process Name: C:\Windows\System32\CloudExperienceHostBroker.exe
Security  Audit Success  13826  2020-03-18 10:22:39    Microsoft-Windows-Security-Auditing  4732: A member was added to a security-enabled local group. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Member: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: - Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Additional Information: Privileges: - Expiration time: (null)
Security  Audit Success  13826  2020-03-18 10:22:39    Microsoft-Windows-Security-Auditing  4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x758 Process Name: C:\Windows\System32\CloudExperienceHostBroker.exe
Security  Audit Success  13826  2020-03-18 10:22:39    Microsoft-Windows-Security-Auditing  4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x758 Process Name: C:\Windows\System32\CloudExperienceHostBroker.exe
Security  Audit Success  13826  2020-03-18 10:22:39    Microsoft-Windows-Security-Auditing  4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-545 Group Name: Users Group Domain: Builtin Process Information: Process ID: 0x758 Process Name: C:\Windows\System32\CloudExperienceHostBroker.exe
Security  Audit Success  13826  2020-03-18 10:22:39    Microsoft-Windows-Security-Auditing  4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-545 Group Name: Users Group Domain: Builtin Process Information: Process ID: 0x758 Process Name: C:\Windows\System32\CloudExperienceHostBroker.exe
Security  Audit Success  13826  2020-03-18 10:22:39    Microsoft-Windows-Security-Auditing  4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-545 Group Name: Users Group Domain: Builtin Process Information: Process ID: 0x758 Process Name: C:\Windows\System32\CloudExperienceHostBroker.exe
Security  Audit Success  13826  2020-03-18 10:22:39    Microsoft-Windows-Security-Auditing  4733: A member was removed from a security-enabled local group. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Member: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: - Group: Security ID: S-1-5-32-545 Group Name: Users Group Domain: Builtin Additional Information: Privileges: -
Security  Audit Success  13826  2020-03-18 10:22:39    Microsoft-Windows-Security-Auditing  4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-545 Group Name: Users Group Domain: Builtin Process Information: Process ID: 0x758 Process Name: C:\Windows\System32\CloudExperienceHostBroker.exe
Security  Audit Success  13826  2020-03-18 10:22:39    Microsoft-Windows-Security-Auditing  4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-545 Group Name: Users Group Domain: Builtin Process Information: Process ID: 0x758 Process Name: C:\Windows\System32\CloudExperienceHostBroker.exe
Security  Audit Success  12544  2020-03-18 10:22:40    Microsoft-Windows-Security-Auditing  4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1001 Account Name: defaultuser0 Account Domain: DESKTOP-UT5JEJD Logon ID: 0x6628d Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x758 Process Name: C:\Windows\System32\CloudExperienceHostBroker.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
Security  Audit Success  12544  2020-03-18 10:22:40    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1001 Account Name: defaultuser0 Account Domain: DESKTOP-UT5JEJD Logon ID: 0x6628d Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xb5afa Linked Logon ID: 0xb5b1f Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x758 Process Name: C:\Windows\System32\CloudExperienceHostBroker.exe Network Information: Workstation Name: DESKTOP-UT5JEJD Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: OOBE Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:22:40    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1001 Account Name: defaultuser0 Account Domain: DESKTOP-UT5JEJD Logon ID: 0x6628d Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xb5b1f Linked Logon ID: 0xb5afa Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x758 Process Name: C:\Windows\System32\CloudExperienceHostBroker.exe Network Information: Workstation Name: DESKTOP-UT5JEJD Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: OOBE Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 10:22:40    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xb5afa Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  13826  2020-03-18 10:22:40    Microsoft-Windows-Security-Auditing  4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x8a4 Process Name: C:\Windows\System32\svchost.exe
Security  Audit Success  12544  2020-03-18 10:22:47    Microsoft-Windows-Security-Auditing  4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1001 Account Name: defaultuser0 Account Domain: DESKTOP-UT5JEJD Logon ID: 0x6628d Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x758 Process Name: C:\Windows\System32\CloudExperienceHostBroker.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
Security  Audit Success  12544  2020-03-18 10:22:47    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1001 Account Name: defaultuser0 Account Domain: DESKTOP-UT5JEJD Logon ID: 0x6628d Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xbed4b Linked Logon ID: 0xbed70 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x758 Process Name: C:\Windows\System32\CloudExperienceHostBroker.exe Network Information: Workstation Name: DESKTOP-UT5JEJD Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: OOBE Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:22:47    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1001 Account Name: defaultuser0 Account Domain: DESKTOP-UT5JEJD Logon ID: 0x6628d Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xbed70 Linked Logon ID: 0xbed4b Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x758 Process Name: C:\Windows\System32\CloudExperienceHostBroker.exe Network Information: Workstation Name: DESKTOP-UT5JEJD Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: OOBE Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:22:47    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 10:22:47    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xbed4b Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:22:47    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12290  2020-03-18 10:23:28    Microsoft-Windows-Security-Auditing  5061: Cryptographic operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: {9958B427-41A6-494A-83E0-B395A2CFCE0B} Key Type: %%2500 Cryptographic Operation: Operation: %%2481 Return Code: 0x0
Security  Audit Success  12290  2020-03-18 10:23:28    Microsoft-Windows-Security-Auditing  5061: Cryptographic operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: {58DE9657-9503-4F21-A501-BC60A1809D7D} Key Type: %%2500 Cryptographic Operation: Operation: %%2481 Return Code: 0x0
Security  Audit Success  12292  2020-03-18 10:23:28    Microsoft-Windows-Security-Auditing  5058: Key file operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Process Information: Process ID: 2620 Process Creation Time: 2020-03-18T02:22:47.937188200Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: {9958B427-41A6-494A-83E0-B395A2CFCE0B} Key Type: %%2500 Key File Operation Information: File Path: C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\e616b71df416cc5b9b621e575917310d_7fbcc963-8e43-4455-80cd-825694131a80 Operation: %%2459 Return Code: 0x0
Security  Audit Success  12292  2020-03-18 10:23:28    Microsoft-Windows-Security-Auditing  5058: Key file operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Process Information: Process ID: 2620 Process Creation Time: 2020-03-18T02:22:47.937188200Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: {58DE9657-9503-4F21-A501-BC60A1809D7D} Key Type: %%2500 Key File Operation Information: File Path: C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\8b6ae9b9e17b93ada91db6d609940064_7fbcc963-8e43-4455-80cd-825694131a80 Operation: %%2459 Return Code: 0x0
Security  Audit Success  13824  2020-03-18 10:23:28    Microsoft-Windows-Security-Auditing  5382: Vault credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 This event occurs when a user reads a stored vault credential.
Security  Audit Success  13824  2020-03-18 10:23:28    Microsoft-Windows-Security-Auditing  5382: Vault credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 This event occurs when a user reads a stored vault credential.
Security  Audit Success  13824  2020-03-18 10:23:28    Microsoft-Windows-Security-Auditing  5382: Vault credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 This event occurs when a user reads a stored vault credential.
Security  Audit Success  12292  2020-03-18 10:23:29    Microsoft-Windows-Security-Auditing  5059: Key migration operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Process Information: Process ID: 2620 Process Creation Time: 2020-03-18T02:22:47.937188200Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: {9958B427-41A6-494A-83E0-B395A2CFCE0B} Key Type: %%2500 Additional Information: Operation: %%2464 Return Code: 0x0
Security  Audit Success  12292  2020-03-18 10:23:29    Microsoft-Windows-Security-Auditing  5059: Key migration operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Process Information: Process ID: 2620 Process Creation Time: 2020-03-18T02:22:47.937188200Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: {9958B427-41A6-494A-83E0-B395A2CFCE0B} Key Type: %%2500 Additional Information: Operation: %%2464 Return Code: 0x0
Security  Audit Success  12545  2020-03-18 10:23:39    Microsoft-Windows-Security-Auditing  4634: An account was logged off. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xbed70 Logon Type: 2 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
Security  Audit Success  12545  2020-03-18 10:23:39    Microsoft-Windows-Security-Auditing  4634: An account was logged off. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xbed4b Logon Type: 2 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
Security  Audit Success  12544  2020-03-18 10:23:46    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 10:23:46    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  13824  2020-03-18 10:23:46    Microsoft-Windows-Security-Auditing  4725: A user account was disabled. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-4230960370-218822903-690480705-1001 Account Name: defaultuser0 Account Domain: DESKTOP-UT5JEJD
Security  Audit Success  13824  2020-03-18 10:23:46    Microsoft-Windows-Security-Auditing  4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-4230960370-218822903-690480705-1001 Account Name: defaultuser0 Account Domain: DESKTOP-UT5JEJD Changed Attributes: SAM Account Name: defaultuser0 Display Name: %%1793 User Principal Name: - Home Directory: %%1793 Home Drive: %%1793 Script Path: %%1793 Profile Path: %%1793 User Workstations: %%1793 Password Last Set: 3/17/2020 7:14:30 PM Account Expires: %%1794 Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x214 New UAC Value: 0x211 User Account Control: %%2080 %%2050 User Parameters: %%1793 SID History: - Logon Hours: %%1797 Additional Information: Privileges: -
Security  Audit Success  13824  2020-03-18 10:23:46    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:23:46    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:23:46    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:23:46    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:23:46    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:23:46    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:23:46    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1001 Account Name: defaultuser0 Account Domain: DESKTOP-UT5JEJD Logon ID: 0x6628d Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:23:46    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1001 Account Name: defaultuser0 Account Domain: DESKTOP-UT5JEJD Logon ID: 0x6628d Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:23:46    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1001 Account Name: defaultuser0 Account Domain: DESKTOP-UT5JEJD Logon ID: 0x6628d Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:23:46    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13826  2020-03-18 10:23:46    Microsoft-Windows-Security-Auditing  4733: A member was removed from a security-enabled local group. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Member: Security ID: S-1-5-21-4230960370-218822903-690480705-1001 Account Name: - Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Additional Information: Privileges: -
Security  Audit Success  12545  2020-03-18 10:23:47    Microsoft-Windows-Security-Auditing  4647: User initiated logoff: Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1001 Account Name: defaultuser0 Account Domain: DESKTOP-UT5JEJD Logon ID: 0x6628d This event is generated when a logoff is initiated. No further user-initiated activity can occur. This event can be interpreted as a logoff event.
Security  Audit Success  13824  2020-03-18 10:23:47    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-500 Account Name: Administrator Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0xb20 Process Name: C:\Windows\System32\svchost.exe
Security  Audit Success  13824  2020-03-18 10:23:47    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-503 Account Name: DefaultAccount Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0xb20 Process Name: C:\Windows\System32\svchost.exe
Security  Audit Success  13824  2020-03-18 10:23:47    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-1001 Account Name: defaultuser0 Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0xb20 Process Name: C:\Windows\System32\svchost.exe
Security  Audit Success  13824  2020-03-18 10:23:47    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0xb20 Process Name: C:\Windows\System32\svchost.exe
Security  Audit Success  13824  2020-03-18 10:23:47    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0xb20 Process Name: C:\Windows\System32\svchost.exe
Security  Audit Success  13824  2020-03-18 10:23:47    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-504 Account Name: WDAGUtilityAccount Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0xb20 Process Name: C:\Windows\System32\svchost.exe
Security  Audit Success  12544  2020-03-18 10:23:48    Microsoft-Windows-Security-Auditing  4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: UMFD-2 Account Domain: Font Driver Host Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x1b50 Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
Security  Audit Success  12544  2020-03-18 10:23:48    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1842 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-96-0-2 Account Name: UMFD-2 Account Domain: Font Driver Host Logon ID: 0xcf644 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1b50 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:23:48    Microsoft-Windows-Security-Auditing  4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DWM-2 Account Domain: Window Manager Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x1b50 Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
Security  Audit Success  12544  2020-03-18 10:23:48    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1842 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-90-0-2 Account Name: DWM-2 Account Domain: Window Manager Logon ID: 0xcfab3 Linked Logon ID: 0xcfadd Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1b50 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:23:48    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1842 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-90-0-2 Account Name: DWM-2 Account Domain: Window Manager Logon ID: 0xcfadd Linked Logon ID: 0xcfab3 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1b50 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:23:48    Microsoft-Windows-Security-Auditing  4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xb20 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: 127.0.0.1 Port: 0 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
Security  Audit Success  12544  2020-03-18 10:23:48    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd129b Linked Logon ID: 0xd12cf Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xb20 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: DESKTOP-UT5JEJD Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:23:48    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Linked Logon ID: 0xd129b Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xb20 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: DESKTOP-UT5JEJD Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12545  2020-03-18 10:23:48    Microsoft-Windows-Security-Auditing  4634: An account was logged off. Subject: Security ID: S-1-5-96-0-1 Account Name: UMFD-1 Account Domain: Font Driver Host Logon ID: 0x111ec Logon Type: 2 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
Security  Audit Success  12548  2020-03-18 10:23:48    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-2 Account Name: DWM-2 Account Domain: Window Manager Logon ID: 0xcfab3 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:23:48    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-2 Account Name: DWM-2 Account Domain: Window Manager Logon ID: 0xcfadd Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege
Security  Audit Success  12548  2020-03-18 10:23:48    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd129b Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Failure  12290  2020-03-18 10:23:49    Microsoft-Windows-Security-Auditing  5061: Cryptographic operation. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: Microsoft Connected Devices Platform device certificate Key Type: %%2500 Cryptographic Operation: Operation: %%2480 Return Code: 0x80090016
Security  Audit Failure  12290  2020-03-18 10:23:49    Microsoft-Windows-Security-Auditing  5061: Cryptographic operation. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: Microsoft Connected Devices Platform device certificate Key Type: %%2500 Cryptographic Operation: Operation: %%2480 Return Code: 0x80090016
Security  Audit Failure  12290  2020-03-18 10:23:49    Microsoft-Windows-Security-Auditing  5061: Cryptographic operation. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: Microsoft Connected Devices Platform device certificate Key Type: %%2500 Cryptographic Operation: Operation: %%2480 Return Code: 0x80090016
Security  Audit Success  12290  2020-03-18 10:23:49    Microsoft-Windows-Security-Auditing  5061: Cryptographic operation. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: %%2500 Cryptographic Operation: Operation: %%2481 Return Code: 0x0
Security  Audit Success  12290  2020-03-18 10:23:49    Microsoft-Windows-Security-Auditing  5061: Cryptographic operation. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: %%2500 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
Security  Audit Success  12292  2020-03-18 10:23:49    Microsoft-Windows-Security-Auditing  5058: Key file operation. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Process Information: Process ID: 7044 Process Creation Time: 2020-03-18T02:23:49.342924100Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: %%2500 Key File Operation Information: File Path: C:\Users\redblue\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_7fbcc963-8e43-4455-80cd-825694131a80 Operation: %%2459 Return Code: 0x0
Security  Audit Success  12292  2020-03-18 10:23:49    Microsoft-Windows-Security-Auditing  5058: Key file operation. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Process Information: Process ID: 7044 Process Creation Time: 2020-03-18T02:23:49.342924100Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: Microsoft Connected Devices Platform device certificate Key Type: %%2500 Key File Operation Information: File Path: C:\Users\redblue\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_7fbcc963-8e43-4455-80cd-825694131a80 Operation: %%2458 Return Code: 0x0
Security  Audit Success  12292  2020-03-18 10:23:49    Microsoft-Windows-Security-Auditing  5059: Key migration operation. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Process Information: Process ID: 7044 Process Creation Time: 2020-03-18T02:23:49.342924100Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: %%2500 Additional Information: Operation: %%2464 Return Code: 0x0
Security  Audit Success  12292  2020-03-18 10:23:49    Microsoft-Windows-Security-Auditing  5059: Key migration operation. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Process Information: Process ID: 7044 Process Creation Time: 2020-03-18T02:23:49.342924100Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: %%2500 Additional Information: Operation: %%2464 Return Code: 0x0
Security  Audit Success  12292  2020-03-18 10:23:49    Microsoft-Windows-Security-Auditing  5059: Key migration operation. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Process Information: Process ID: 7044 Process Creation Time: 2020-03-18T02:23:49.342924100Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: %%2500 Additional Information: Operation: %%2464 Return Code: 0x0
Security  Audit Success  12544  2020-03-18 10:23:49    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 10:23:49    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  13824  2020-03-18 10:23:49    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:23:49    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:23:49    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:23:49    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:23:49    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:23:49    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:23:49    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:23:49    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:23:49    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:23:49    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:23:49    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13826  2020-03-18 10:23:49    Microsoft-Windows-Security-Auditing  4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x8a4 Process Name: C:\Windows\System32\svchost.exe
Security  Audit Success  12545  2020-03-18 10:23:50    Microsoft-Windows-Security-Auditing  4634: An account was logged off. Subject: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x1745b Logon Type: 2 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
Security  Audit Success  12545  2020-03-18 10:23:50    Microsoft-Windows-Security-Auditing  4634: An account was logged off. Subject: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x17421 Logon Type: 2 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
Security  Audit Success  13824  2020-03-18 10:23:50    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:23:50    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:23:50    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:23:50    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:23:59    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-1001 Account Name: defaultuser0 Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x13b8 Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe
Security  Audit Success  13824  2020-03-18 10:23:59    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-1001 Account Name: defaultuser0 Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x13b8 Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe
Security  Audit Success  13824  2020-03-18 10:23:59    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x13b8 Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe
Security  Audit Success  13824  2020-03-18 10:23:59    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x13b8 Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe
Security  Audit Success  13824  2020-03-18 10:23:59    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x13b8 Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe
Security  Audit Success  13824  2020-03-18 10:23:59    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x13b8 Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe
Security  Audit Success  13824  2020-03-18 10:24:00    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:24:00    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:24:00    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:24:00    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  12544  2020-03-18 10:24:21    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 10:24:21    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  13824  2020-03-18 10:24:21    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd129b Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:24:21    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd129b Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:24:21    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd129b Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:24:23    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:24:23    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:24:23    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:24:23    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:24:23    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:24:23    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:24:23    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:24:23    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:24:23    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:24:23    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:24:23    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:24:23    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:24:30    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:24:30    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:24:30    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:24:30    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:24:42    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:24:42    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:24:42    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:25:40    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:25:40    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:25:40    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:25:40    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  12544  2020-03-18 10:25:54    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 10:25:54    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  13824  2020-03-18 10:27:08    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:27:08    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:27:08    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:27:08    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:27:08    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:27:08    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  12544  2020-03-18 10:29:59    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 10:29:59    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  13824  2020-03-18 10:29:59    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:29:59    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:29:59    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:29:59    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:29:59    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:29:59    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:29:59    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:29:59    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:29:59    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:29:59    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:29:59    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:29:59    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:29:59    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:30:23    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x12fc Process Name: C:\Windows\System32\LogonUI.exe
Security  Audit Success  12544  2020-03-18 10:32:32    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 10:32:32    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  13824  2020-03-18 10:32:32    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:32:32    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:32:32    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:32:32    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:32:35    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:32:35    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:32:35    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:32:39    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:32:43    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-1001 Account Name: defaultuser0 Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1108 Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe
Security  Audit Success  13824  2020-03-18 10:32:43    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-1001 Account Name: defaultuser0 Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1108 Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe
Security  Audit Success  13824  2020-03-18 10:32:43    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1108 Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe
Security  Audit Success  13824  2020-03-18 10:32:43    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1108 Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe
Security  Audit Success  13824  2020-03-18 10:32:43    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1108 Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe
Security  Audit Success  13824  2020-03-18 10:32:43    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1108 Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe
Security  Audit Success  12544  2020-03-18 10:32:46    Microsoft-Windows-Security-Auditing  4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xb20 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: 127.0.0.1 Port: 0 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
Security  Audit Success  12544  2020-03-18 10:32:46    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x2136f8 Linked Logon ID: 0x21371e Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xb20 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: DESKTOP-UT5JEJD Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:32:46    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x21371e Linked Logon ID: 0x2136f8 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xb20 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: DESKTOP-UT5JEJD Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12545  2020-03-18 10:32:46    Microsoft-Windows-Security-Auditing  4634: An account was logged off. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x21371e Logon Type: 2 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
Security  Audit Success  12545  2020-03-18 10:32:46    Microsoft-Windows-Security-Auditing  4634: An account was logged off. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x2136f8 Logon Type: 2 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
Security  Audit Success  12548  2020-03-18 10:32:46    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x2136f8 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  13824  2020-03-18 10:32:46    Microsoft-Windows-Security-Auditing  5382: Vault credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 This event occurs when a user reads a stored vault credential.
Security  Audit Success  13824  2020-03-18 10:32:48    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:32:48    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:32:48    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:32:48    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:32:56    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-1001 Account Name: defaultuser0 Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1108 Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe
Security  Audit Success  13824  2020-03-18 10:32:56    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-1001 Account Name: defaultuser0 Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1108 Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe
Security  Audit Success  13824  2020-03-18 10:32:56    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1108 Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe
Security  Audit Success  13824  2020-03-18 10:32:56    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1108 Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe
Security  Audit Success  13824  2020-03-18 10:32:56    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1108 Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe
Security  Audit Success  13824  2020-03-18 10:32:56    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1108 Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe
Security  Audit Success  12544  2020-03-18 10:33:02    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 10:33:02    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12544  2020-03-18 10:33:03    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 10:33:03    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  13824  2020-03-18 10:33:09    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x22b0 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
Security  Audit Success  13824  2020-03-18 10:33:09    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x22b0 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
Security  Audit Success  13824  2020-03-18 10:33:09    Microsoft-Windows-Security-Auditing  4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Additional Information: Caller Workstation: DESKTOP-UT5JEJD Target Account Name: Administrator Target Account Domain: DESKTOP-UT5JEJD
Security  Audit Success  13824  2020-03-18 10:33:09    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x22b0 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
Security  Audit Success  13824  2020-03-18 10:33:09    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x22b0 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
Security  Audit Success  13824  2020-03-18 10:33:09    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x22b0 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
Security  Audit Success  13824  2020-03-18 10:33:09    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x22b0 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
Security  Audit Success  13824  2020-03-18 10:33:13    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x22b0 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
Security  Audit Success  13824  2020-03-18 10:33:13    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x22b0 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
Security  Audit Success  13824  2020-03-18 10:33:13    Microsoft-Windows-Security-Auditing  4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Additional Information: Caller Workstation: DESKTOP-UT5JEJD Target Account Name: Administrator Target Account Domain: DESKTOP-UT5JEJD
Security  Audit Success  13824  2020-03-18 10:33:13    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x22b0 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
Security  Audit Success  13824  2020-03-18 10:33:13    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x22b0 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
Security  Audit Success  13824  2020-03-18 10:33:13    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x22b0 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
Security  Audit Success  13824  2020-03-18 10:33:13    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x22b0 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
Security  Audit Success  12544  2020-03-18 10:33:15    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 10:33:15    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  13824  2020-03-18 10:33:15    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:33:15    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:33:15    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:33:15    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:33:18    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:33:18    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:33:18    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:33:18    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  12544  2020-03-18 10:34:15    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 10:34:15    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  13824  2020-03-18 10:34:15    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:34:15    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:34:15    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:34:15    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:34:15    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:34:15    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:34:17    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:34:17    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:34:17    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:34:18    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:34:18    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:34:18    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:34:18    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:34:18    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:34:18    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:34:18    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:34:18    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  12544  2020-03-18 10:34:19    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 10:34:19    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12544  2020-03-18 10:34:20    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 10:34:20    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  13824  2020-03-18 10:34:20    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:34:20    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8099 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:34:20    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:34:20    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:34:20    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:34:20    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:34:20    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:34:20    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:34:20    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:34:20    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:34:20    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:34:20    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:34:20    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:34:20    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:34:20    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:34:20    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:34:23    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:34:23    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:34:23    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:34:23    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:34:25    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:34:25    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:34:25    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:34:25    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:34:26    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:34:26    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:34:26    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:34:26    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:34:26    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:34:26    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:34:26    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:34:26    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:34:31    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:34:31    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:34:31    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:34:34    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:34:34    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:34:34    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:34:34    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  12544  2020-03-18 10:34:35    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 10:34:35    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  13824  2020-03-18 10:34:40    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:34:40    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:34:40    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:34:50    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:34:50    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:34:50    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:34:53    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:34:53    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:34:53    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:34:53    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:34:55    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:34:55    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:34:55    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:34:55    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:35:00    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:35:00    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:35:00    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:35:02    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:35:02    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:35:02    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:35:02    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  12544  2020-03-18 10:35:13    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 10:35:13    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  13824  2020-03-18 10:35:15    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x2158 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
Security  Audit Success  13824  2020-03-18 10:35:15    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x2158 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
Security  Audit Success  13824  2020-03-18 10:35:15    Microsoft-Windows-Security-Auditing  4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Additional Information: Caller Workstation: DESKTOP-UT5JEJD Target Account Name: Administrator Target Account Domain: DESKTOP-UT5JEJD
Security  Audit Success  13824  2020-03-18 10:35:15    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x2158 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
Security  Audit Success  13824  2020-03-18 10:35:15    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x2158 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
Security  Audit Success  13824  2020-03-18 10:35:15    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x2158 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
Security  Audit Success  13824  2020-03-18 10:35:15    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x2158 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
Security  Audit Success  12544  2020-03-18 10:35:16    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 10:35:16    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  13824  2020-03-18 10:35:17    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:35:17    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:35:17    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:35:17    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:35:17    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:35:17    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  12544  2020-03-18 10:35:19    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 10:35:19    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  13824  2020-03-18 10:35:22    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:35:22    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:35:22    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:35:22    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:35:25    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:35:25    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:35:25    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:35:25    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:35:38    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:35:38    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:35:38    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:35:39    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:35:39    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:35:39    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:35:39    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  12544  2020-03-18 10:35:44    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:35:44    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 10:35:44    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:35:44    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  13826  2020-03-18 10:35:44    Microsoft-Windows-Security-Auditing  4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x2f24 Process Name: C:\Windows\System32\VSSVC.exe
Security  Audit Success  13826  2020-03-18 10:35:44    Microsoft-Windows-Security-Auditing  4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x2f24 Process Name: C:\Windows\System32\VSSVC.exe
Security  Audit Success  13826  2020-03-18 10:35:44    Microsoft-Windows-Security-Auditing  4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x2f24 Process Name: C:\Windows\System32\VSSVC.exe
Security  Audit Success  13826  2020-03-18 10:35:44    Microsoft-Windows-Security-Auditing  4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x2f24 Process Name: C:\Windows\System32\VSSVC.exe
Security  Audit Success  13824  2020-03-18 10:35:47    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x2fb4 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
Security  Audit Success  13824  2020-03-18 10:35:47    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x2fb4 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
Security  Audit Success  13824  2020-03-18 10:35:47    Microsoft-Windows-Security-Auditing  4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Additional Information: Caller Workstation: DESKTOP-UT5JEJD Target Account Name: Administrator Target Account Domain: DESKTOP-UT5JEJD
Security  Audit Success  13824  2020-03-18 10:35:47    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x2fb4 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
Security  Audit Success  13824  2020-03-18 10:35:47    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x2fb4 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
Security  Audit Success  13824  2020-03-18 10:35:47    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x2fb4 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
Security  Audit Success  13824  2020-03-18 10:35:47    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x2fb4 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
Security  Audit Success  12290  2020-03-18 10:35:52    Microsoft-Windows-Security-Auditing  5061: Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: SCEPProtocolKey-3c92ed63-1b51-4d34-aa1e-3e5c3631e71c Key Type: %%2500 Cryptographic Operation: Operation: %%2481 Return Code: 0x0
Security  Audit Success  12290  2020-03-18 10:35:52    Microsoft-Windows-Security-Auditing  5061: Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: SCEPProtocolKey-3c92ed63-1b51-4d34-aa1e-3e5c3631e71c Key Type: %%2500 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
Security  Audit Success  12290  2020-03-18 10:35:52    Microsoft-Windows-Security-Auditing  5061: Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: SCEPProtocolKey-3c92ed63-1b51-4d34-aa1e-3e5c3631e71c Key Type: %%2500 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
Security  Audit Success  12292  2020-03-18 10:35:52    Microsoft-Windows-Security-Auditing  5058: Key file operation. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Process Information: Process ID: 5180 Process Creation Time: 2020-03-18T02:20:34.048824900Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: SCEPProtocolKey-3c92ed63-1b51-4d34-aa1e-3e5c3631e71c Key Type: %%2500 Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\SystemKeys\446b9976d5ae54f85fc389a9187abfb6_7fbcc963-8e43-4455-80cd-825694131a80 Operation: %%2459 Return Code: 0x0
Security  Audit Success  12292  2020-03-18 10:35:52    Microsoft-Windows-Security-Auditing  5059: Key migration operation. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Process Information: Process ID: 5180 Process Creation Time: 2020-03-18T02:20:34.048824900Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: SCEPProtocolKey-3c92ed63-1b51-4d34-aa1e-3e5c3631e71c Key Type: %%2500 Additional Information: Operation: %%2464 Return Code: 0x0
Security  Audit Success  12292  2020-03-18 10:35:52    Microsoft-Windows-Security-Auditing  5059: Key migration operation. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Process Information: Process ID: 5180 Process Creation Time: 2020-03-18T02:20:34.048824900Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: SCEPProtocolKey-3c92ed63-1b51-4d34-aa1e-3e5c3631e71c Key Type: %%2500 Additional Information: Operation: %%2464 Return Code: 0x0
Security  Audit Success  12292  2020-03-18 10:35:52    Microsoft-Windows-Security-Auditing  5059: Key migration operation. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Process Information: Process ID: 5180 Process Creation Time: 2020-03-18T02:20:34.048824900Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: SCEPProtocolKey-3c92ed63-1b51-4d34-aa1e-3e5c3631e71c Key Type: %%2500 Additional Information: Operation: %%2464 Return Code: 0x0
Security  Audit Success  12292  2020-03-18 10:35:52    Microsoft-Windows-Security-Auditing  5059: Key migration operation. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Process Information: Process ID: 5180 Process Creation Time: 2020-03-18T02:20:34.048824900Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: SCEPProtocolKey-3c92ed63-1b51-4d34-aa1e-3e5c3631e71c Key Type: %%2500 Additional Information: Operation: %%2464 Return Code: 0x0
Security  Audit Success  12292  2020-03-18 10:35:52    Microsoft-Windows-Security-Auditing  5059: Key migration operation. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Process Information: Process ID: 5180 Process Creation Time: 2020-03-18T02:20:34.048824900Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: SCEPProtocolKey-3c92ed63-1b51-4d34-aa1e-3e5c3631e71c Key Type: %%2500 Additional Information: Operation: %%2464 Return Code: 0x0
Security  Audit Success  12292  2020-03-18 10:35:52    Microsoft-Windows-Security-Auditing  5059: Key migration operation. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Process Information: Process ID: 5180 Process Creation Time: 2020-03-18T02:20:34.048824900Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: SCEPProtocolKey-3c92ed63-1b51-4d34-aa1e-3e5c3631e71c Key Type: %%2500 Additional Information: Operation: %%2464 Return Code: 0x0
Security  Audit Success  12292  2020-03-18 10:35:52    Microsoft-Windows-Security-Auditing  5059: Key migration operation. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Process Information: Process ID: 5180 Process Creation Time: 2020-03-18T02:20:34.048824900Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: SCEPProtocolKey-3c92ed63-1b51-4d34-aa1e-3e5c3631e71c Key Type: %%2500 Additional Information: Operation: %%2464 Return Code: 0x0
Security  Audit Success  12292  2020-03-18 10:35:52    Microsoft-Windows-Security-Auditing  5059: Key migration operation. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Process Information: Process ID: 5180 Process Creation Time: 2020-03-18T02:20:34.048824900Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: SCEPProtocolKey-3c92ed63-1b51-4d34-aa1e-3e5c3631e71c Key Type: %%2500 Additional Information: Operation: %%2464 Return Code: 0x0
Security  Audit Success  12292  2020-03-18 10:35:52    Microsoft-Windows-Security-Auditing  5059: Key migration operation. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Process Information: Process ID: 5180 Process Creation Time: 2020-03-18T02:20:34.048824900Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: SCEPProtocolKey-3c92ed63-1b51-4d34-aa1e-3e5c3631e71c Key Type: %%2500 Additional Information: Operation: %%2464 Return Code: 0x0
Security  Audit Success  12292  2020-03-18 10:35:52    Microsoft-Windows-Security-Auditing  5059: Key migration operation. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Process Information: Process ID: 5180 Process Creation Time: 2020-03-18T02:20:34.048824900Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: SCEPProtocolKey-3c92ed63-1b51-4d34-aa1e-3e5c3631e71c Key Type: %%2500 Additional Information: Operation: %%2464 Return Code: 0x0
Security  Audit Success  12292  2020-03-18 10:35:52    Microsoft-Windows-Security-Auditing  5059: Key migration operation. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Process Information: Process ID: 5180 Process Creation Time: 2020-03-18T02:20:34.048824900Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: SCEPProtocolKey-3c92ed63-1b51-4d34-aa1e-3e5c3631e71c Key Type: %%2500 Additional Information: Operation: %%2464 Return Code: 0x0
Security  Audit Success  12292  2020-03-18 10:35:52    Microsoft-Windows-Security-Auditing  5059: Key migration operation. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Process Information: Process ID: 5180 Process Creation Time: 2020-03-18T02:20:34.048824900Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: SCEPProtocolKey-3c92ed63-1b51-4d34-aa1e-3e5c3631e71c Key Type: %%2500 Additional Information: Operation: %%2464 Return Code: 0x0
Security  Audit Success  12292  2020-03-18 10:35:52    Microsoft-Windows-Security-Auditing  5058: Key file operation. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Process Information: Process ID: 5180 Process Creation Time: 2020-03-18T02:20:34.048824900Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: SCEPProtocolKey-3c92ed63-1b51-4d34-aa1e-3e5c3631e71c Key Type: %%2500 Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\SystemKeys\446b9976d5ae54f85fc389a9187abfb6_7fbcc963-8e43-4455-80cd-825694131a80 Operation: %%2458 Return Code: 0x0
Security  Audit Success  12292  2020-03-18 10:35:52    Microsoft-Windows-Security-Auditing  5058: Key file operation. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Process Information: Process ID: 5180 Process Creation Time: 2020-03-18T02:20:34.048824900Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: SCEPProtocolKey-3c92ed63-1b51-4d34-aa1e-3e5c3631e71c Key Type: %%2500 Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\SystemKeys\446b9976d5ae54f85fc389a9187abfb6_7fbcc963-8e43-4455-80cd-825694131a80 Operation: %%2458 Return Code: 0x0
Security  Audit Success  13824  2020-03-18 10:36:11    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x2fb4 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
Security  Audit Success  13824  2020-03-18 10:36:11    Microsoft-Windows-Security-Auditing  4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Additional Information: Caller Workstation: DESKTOP-UT5JEJD Target Account Name: Administrator Target Account Domain: DESKTOP-UT5JEJD
Security  Audit Success  13824  2020-03-18 10:36:11    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x2fb4 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
Security  Audit Success  13824  2020-03-18 10:36:11    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x2fb4 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
Security  Audit Success  13824  2020-03-18 10:36:11    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x2fb4 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
Security  Audit Success  13824  2020-03-18 10:36:11    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x2fb4 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
Security  Audit Success  12544  2020-03-18 10:36:20    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 10:36:20    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12290  2020-03-18 10:36:37    Microsoft-Windows-Security-Auditing  5061: Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: SCEPProtocolKey-3c92ed63-1b51-4d34-aa1e-3e5c3631e71c Key Type: %%2500 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
Security  Audit Success  12292  2020-03-18 10:36:37    Microsoft-Windows-Security-Auditing  5058: Key file operation. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Process Information: Process ID: 5180 Process Creation Time: 2020-03-18T02:20:34.048824900Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: SCEPProtocolKey-3c92ed63-1b51-4d34-aa1e-3e5c3631e71c Key Type: %%2500 Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\SystemKeys\446b9976d5ae54f85fc389a9187abfb6_7fbcc963-8e43-4455-80cd-825694131a80 Operation: %%2458 Return Code: 0x0
Security  Audit Success  12290  2020-03-18 10:36:38    Microsoft-Windows-Security-Auditing  5061: Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: SCEPProtocolKey-3c92ed63-1b51-4d34-aa1e-3e5c3631e71c Key Type: %%2500 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
Security  Audit Success  12290  2020-03-18 10:36:38    Microsoft-Windows-Security-Auditing  5061: Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: SCEPProtocolKey-3c92ed63-1b51-4d34-aa1e-3e5c3631e71c Key Type: %%2500 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
Security  Audit Success  12292  2020-03-18 10:36:38    Microsoft-Windows-Security-Auditing  5058: Key file operation. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Process Information: Process ID: 5180 Process Creation Time: 2020-03-18T02:20:34.048824900Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: SCEPProtocolKey-3c92ed63-1b51-4d34-aa1e-3e5c3631e71c Key Type: %%2500 Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\SystemKeys\446b9976d5ae54f85fc389a9187abfb6_7fbcc963-8e43-4455-80cd-825694131a80 Operation: %%2458 Return Code: 0x0
Security  Audit Success  12292  2020-03-18 10:36:38    Microsoft-Windows-Security-Auditing  5058: Key file operation. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Process Information: Process ID: 5180 Process Creation Time: 2020-03-18T02:20:34.048824900Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: SCEPProtocolKey-3c92ed63-1b51-4d34-aa1e-3e5c3631e71c Key Type: %%2500 Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\SystemKeys\446b9976d5ae54f85fc389a9187abfb6_7fbcc963-8e43-4455-80cd-825694131a80 Operation: %%2458 Return Code: 0x0
Security  Audit Success  13824  2020-03-18 10:36:47    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1458 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
Security  Audit Success  13824  2020-03-18 10:36:47    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1458 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
Security  Audit Success  13824  2020-03-18 10:36:47    Microsoft-Windows-Security-Auditing  4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Additional Information: Caller Workstation: DESKTOP-UT5JEJD Target Account Name: Administrator Target Account Domain: DESKTOP-UT5JEJD
Security  Audit Success  13824  2020-03-18 10:36:47    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1458 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
Security  Audit Success  13824  2020-03-18 10:36:47    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1458 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
Security  Audit Success  13824  2020-03-18 10:36:47    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1458 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
Security  Audit Success  13824  2020-03-18 10:36:47    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1458 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
Security  Audit Success  12544  2020-03-18 10:36:49    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 10:36:49    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12290  2020-03-18 10:37:05    Microsoft-Windows-Security-Auditing  5061: Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: SCEPProtocolKey-3c92ed63-1b51-4d34-aa1e-3e5c3631e71c Key Type: %%2500 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
Security  Audit Success  12290  2020-03-18 10:37:05    Microsoft-Windows-Security-Auditing  5061: Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: SCEPProtocolKey-3c92ed63-1b51-4d34-aa1e-3e5c3631e71c Key Type: %%2500 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
Security  Audit Success  12292  2020-03-18 10:37:05    Microsoft-Windows-Security-Auditing  5058: Key file operation. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Process Information: Process ID: 5180 Process Creation Time: 2020-03-18T02:20:34.048824900Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: SCEPProtocolKey-3c92ed63-1b51-4d34-aa1e-3e5c3631e71c Key Type: %%2500 Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\SystemKeys\446b9976d5ae54f85fc389a9187abfb6_7fbcc963-8e43-4455-80cd-825694131a80 Operation: %%2458 Return Code: 0x0
Security  Audit Success  12292  2020-03-18 10:37:05    Microsoft-Windows-Security-Auditing  5058: Key file operation. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Process Information: Process ID: 5180 Process Creation Time: 2020-03-18T02:20:34.048824900Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: SCEPProtocolKey-3c92ed63-1b51-4d34-aa1e-3e5c3631e71c Key Type: %%2500 Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\SystemKeys\446b9976d5ae54f85fc389a9187abfb6_7fbcc963-8e43-4455-80cd-825694131a80 Operation: %%2458 Return Code: 0x0
Security  Audit Success  12292  2020-03-18 10:37:05    Microsoft-Windows-Security-Auditing  5058: Key file operation. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Process Information: Process ID: 5180 Process Creation Time: 2020-03-18T02:20:34.048824900Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: SCEPProtocolKey-3c92ed63-1b51-4d34-aa1e-3e5c3631e71c Key Type: %%2500 Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\SystemKeys\446b9976d5ae54f85fc389a9187abfb6_7fbcc963-8e43-4455-80cd-825694131a80 Operation: %%2457 Return Code: 0x0
Security  Audit Success  13824  2020-03-18 10:37:18    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  12290  2020-03-18 10:37:27    Microsoft-Windows-Security-Auditing  5061: Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: SCEPProtocolKey-11dbdd43-036d-4fa1-b716-a3fbe5ec56b6 Key Type: %%2500 Cryptographic Operation: Operation: %%2481 Return Code: 0x0
Security  Audit Success  12290  2020-03-18 10:37:27    Microsoft-Windows-Security-Auditing  5061: Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: SCEPProtocolKey-11dbdd43-036d-4fa1-b716-a3fbe5ec56b6 Key Type: %%2500 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
Security  Audit Success  12290  2020-03-18 10:37:27    Microsoft-Windows-Security-Auditing  5061: Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: SCEPProtocolKey-11dbdd43-036d-4fa1-b716-a3fbe5ec56b6 Key Type: %%2500 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
Security  Audit Success  12292  2020-03-18 10:37:27    Microsoft-Windows-Security-Auditing  5058: Key file operation. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Process Information: Process ID: 5180 Process Creation Time: 2020-03-18T02:20:34.048824900Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: SCEPProtocolKey-11dbdd43-036d-4fa1-b716-a3fbe5ec56b6 Key Type: %%2500 Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\SystemKeys\ca8b8b749c7385d0d0c5ba041080d6ea_7fbcc963-8e43-4455-80cd-825694131a80 Operation: %%2459 Return Code: 0x0
Security  Audit Success  12292  2020-03-18 10:37:27    Microsoft-Windows-Security-Auditing  5059: Key migration operation. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Process Information: Process ID: 5180 Process Creation Time: 2020-03-18T02:20:34.048824900Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: SCEPProtocolKey-11dbdd43-036d-4fa1-b716-a3fbe5ec56b6 Key Type: %%2500 Additional Information: Operation: %%2464 Return Code: 0x0
Security  Audit Success  12292  2020-03-18 10:37:27    Microsoft-Windows-Security-Auditing  5059: Key migration operation. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Process Information: Process ID: 5180 Process Creation Time: 2020-03-18T02:20:34.048824900Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: SCEPProtocolKey-11dbdd43-036d-4fa1-b716-a3fbe5ec56b6 Key Type: %%2500 Additional Information: Operation: %%2464 Return Code: 0x0
Security  Audit Success  12292  2020-03-18 10:37:27    Microsoft-Windows-Security-Auditing  5059: Key migration operation. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Process Information: Process ID: 5180 Process Creation Time: 2020-03-18T02:20:34.048824900Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: SCEPProtocolKey-11dbdd43-036d-4fa1-b716-a3fbe5ec56b6 Key Type: %%2500 Additional Information: Operation: %%2464 Return Code: 0x0
Security  Audit Success  12292  2020-03-18 10:37:27    Microsoft-Windows-Security-Auditing  5059: Key migration operation. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Process Information: Process ID: 5180 Process Creation Time: 2020-03-18T02:20:34.048824900Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: SCEPProtocolKey-11dbdd43-036d-4fa1-b716-a3fbe5ec56b6 Key Type: %%2500 Additional Information: Operation: %%2464 Return Code: 0x0
Security  Audit Success  12292  2020-03-18 10:37:27    Microsoft-Windows-Security-Auditing  5059: Key migration operation. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Process Information: Process ID: 5180 Process Creation Time: 2020-03-18T02:20:34.048824900Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: SCEPProtocolKey-11dbdd43-036d-4fa1-b716-a3fbe5ec56b6 Key Type: %%2500 Additional Information: Operation: %%2464 Return Code: 0x0
Security  Audit Success  12292  2020-03-18 10:37:27    Microsoft-Windows-Security-Auditing  5059: Key migration operation. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Process Information: Process ID: 5180 Process Creation Time: 2020-03-18T02:20:34.048824900Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: SCEPProtocolKey-11dbdd43-036d-4fa1-b716-a3fbe5ec56b6 Key Type: %%2500 Additional Information: Operation: %%2464 Return Code: 0x0
Security  Audit Success  12292  2020-03-18 10:37:27    Microsoft-Windows-Security-Auditing  5059: Key migration operation. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Process Information: Process ID: 5180 Process Creation Time: 2020-03-18T02:20:34.048824900Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: SCEPProtocolKey-11dbdd43-036d-4fa1-b716-a3fbe5ec56b6 Key Type: %%2500 Additional Information: Operation: %%2464 Return Code: 0x0
Security  Audit Success  12292  2020-03-18 10:37:27    Microsoft-Windows-Security-Auditing  5059: Key migration operation. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Process Information: Process ID: 5180 Process Creation Time: 2020-03-18T02:20:34.048824900Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: SCEPProtocolKey-11dbdd43-036d-4fa1-b716-a3fbe5ec56b6 Key Type: %%2500 Additional Information: Operation: %%2464 Return Code: 0x0
Security  Audit Success  12292  2020-03-18 10:37:27    Microsoft-Windows-Security-Auditing  5059: Key migration operation. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Process Information: Process ID: 5180 Process Creation Time: 2020-03-18T02:20:34.048824900Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: SCEPProtocolKey-11dbdd43-036d-4fa1-b716-a3fbe5ec56b6 Key Type: %%2500 Additional Information: Operation: %%2464 Return Code: 0x0
Security  Audit Success  12292  2020-03-18 10:37:27    Microsoft-Windows-Security-Auditing  5059: Key migration operation. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Process Information: Process ID: 5180 Process Creation Time: 2020-03-18T02:20:34.048824900Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: SCEPProtocolKey-11dbdd43-036d-4fa1-b716-a3fbe5ec56b6 Key Type: %%2500 Additional Information: Operation: %%2464 Return Code: 0x0
Security  Audit Success  12292  2020-03-18 10:37:27    Microsoft-Windows-Security-Auditing  5059: Key migration operation. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Process Information: Process ID: 5180 Process Creation Time: 2020-03-18T02:20:34.048824900Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: SCEPProtocolKey-11dbdd43-036d-4fa1-b716-a3fbe5ec56b6 Key Type: %%2500 Additional Information: Operation: %%2464 Return Code: 0x0
Security  Audit Success  12292  2020-03-18 10:37:27    Microsoft-Windows-Security-Auditing  5059: Key migration operation. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Process Information: Process ID: 5180 Process Creation Time: 2020-03-18T02:20:34.048824900Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: SCEPProtocolKey-11dbdd43-036d-4fa1-b716-a3fbe5ec56b6 Key Type: %%2500 Additional Information: Operation: %%2464 Return Code: 0x0
Security  Audit Success  12292  2020-03-18 10:37:27    Microsoft-Windows-Security-Auditing  5058: Key file operation. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Process Information: Process ID: 5180 Process Creation Time: 2020-03-18T02:20:34.048824900Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: SCEPProtocolKey-11dbdd43-036d-4fa1-b716-a3fbe5ec56b6 Key Type: %%2500 Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\SystemKeys\ca8b8b749c7385d0d0c5ba041080d6ea_7fbcc963-8e43-4455-80cd-825694131a80 Operation: %%2458 Return Code: 0x0
Security  Audit Success  12292  2020-03-18 10:37:27    Microsoft-Windows-Security-Auditing  5058: Key file operation. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Process Information: Process ID: 5180 Process Creation Time: 2020-03-18T02:20:34.048824900Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: SCEPProtocolKey-11dbdd43-036d-4fa1-b716-a3fbe5ec56b6 Key Type: %%2500 Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\SystemKeys\ca8b8b749c7385d0d0c5ba041080d6ea_7fbcc963-8e43-4455-80cd-825694131a80 Operation: %%2458 Return Code: 0x0
Security  Audit Success  12290  2020-03-18 10:37:32    Microsoft-Windows-Security-Auditing  5061: Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: SCEPProtocolKey-11dbdd43-036d-4fa1-b716-a3fbe5ec56b6 Key Type: %%2500 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
Security  Audit Success  12292  2020-03-18 10:37:32    Microsoft-Windows-Security-Auditing  5058: Key file operation. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Process Information: Process ID: 5180 Process Creation Time: 2020-03-18T02:20:34.048824900Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: SCEPProtocolKey-11dbdd43-036d-4fa1-b716-a3fbe5ec56b6 Key Type: %%2500 Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\SystemKeys\ca8b8b749c7385d0d0c5ba041080d6ea_7fbcc963-8e43-4455-80cd-825694131a80 Operation: %%2458 Return Code: 0x0
Security  Audit Success  12290  2020-03-18 10:37:33    Microsoft-Windows-Security-Auditing  5061: Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: SCEPProtocolKey-11dbdd43-036d-4fa1-b716-a3fbe5ec56b6 Key Type: %%2500 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
Security  Audit Success  12290  2020-03-18 10:37:33    Microsoft-Windows-Security-Auditing  5061: Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: SCEPProtocolKey-11dbdd43-036d-4fa1-b716-a3fbe5ec56b6 Key Type: %%2500 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
Security  Audit Success  12292  2020-03-18 10:37:33    Microsoft-Windows-Security-Auditing  5058: Key file operation. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Process Information: Process ID: 5180 Process Creation Time: 2020-03-18T02:20:34.048824900Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: SCEPProtocolKey-11dbdd43-036d-4fa1-b716-a3fbe5ec56b6 Key Type: %%2500 Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\SystemKeys\ca8b8b749c7385d0d0c5ba041080d6ea_7fbcc963-8e43-4455-80cd-825694131a80 Operation: %%2458 Return Code: 0x0
Security  Audit Success  12292  2020-03-18 10:37:33    Microsoft-Windows-Security-Auditing  5058: Key file operation. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Process Information: Process ID: 5180 Process Creation Time: 2020-03-18T02:20:34.048824900Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: SCEPProtocolKey-11dbdd43-036d-4fa1-b716-a3fbe5ec56b6 Key Type: %%2500 Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\SystemKeys\ca8b8b749c7385d0d0c5ba041080d6ea_7fbcc963-8e43-4455-80cd-825694131a80 Operation: %%2458 Return Code: 0x0
Security  Audit Success  12290  2020-03-18 10:38:41    Microsoft-Windows-Security-Auditing  5061: Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: SCEPProtocolKey-11dbdd43-036d-4fa1-b716-a3fbe5ec56b6 Key Type: %%2500 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
Security  Audit Success  12292  2020-03-18 10:38:41    Microsoft-Windows-Security-Auditing  5058: Key file operation. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Process Information: Process ID: 5180 Process Creation Time: 2020-03-18T02:20:34.048824900Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: SCEPProtocolKey-11dbdd43-036d-4fa1-b716-a3fbe5ec56b6 Key Type: %%2500 Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\SystemKeys\ca8b8b749c7385d0d0c5ba041080d6ea_7fbcc963-8e43-4455-80cd-825694131a80 Operation: %%2458 Return Code: 0x0
Security  Audit Success  12292  2020-03-18 10:38:41    Microsoft-Windows-Security-Auditing  5058: Key file operation. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Process Information: Process ID: 5180 Process Creation Time: 2020-03-18T02:20:34.048824900Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: SCEPProtocolKey-11dbdd43-036d-4fa1-b716-a3fbe5ec56b6 Key Type: %%2500 Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\SystemKeys\ca8b8b749c7385d0d0c5ba041080d6ea_7fbcc963-8e43-4455-80cd-825694131a80 Operation: %%2457 Return Code: 0x0
Security  Audit Success  13824  2020-03-18 10:40:07    Microsoft-Windows-Security-Auditing  5381: Vault credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf This event occurs when a user enumerates stored vault credentials.
Security  Audit Success  13824  2020-03-18 10:40:07    Microsoft-Windows-Security-Auditing  5381: Vault credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf This event occurs when a user enumerates stored vault credentials.
Security  Audit Success  12544  2020-03-18 10:40:48    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 10:40:48    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12544  2020-03-18 10:40:50    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 10:40:50    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  13824  2020-03-18 10:40:50    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x20b0 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
Security  Audit Success  13824  2020-03-18 10:40:50    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x20b0 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
Security  Audit Success  13824  2020-03-18 10:40:50    Microsoft-Windows-Security-Auditing  4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Additional Information: Caller Workstation: DESKTOP-UT5JEJD Target Account Name: Administrator Target Account Domain: DESKTOP-UT5JEJD
Security  Audit Success  13824  2020-03-18 10:40:50    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x20b0 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
Security  Audit Success  13824  2020-03-18 10:40:50    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x20b0 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
Security  Audit Success  13824  2020-03-18 10:40:50    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x20b0 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
Security  Audit Success  13824  2020-03-18 10:40:50    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x20b0 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
Security  Audit Success  13824  2020-03-18 10:40:51    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:40:51    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:40:51    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:40:51    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:40:51    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:40:51    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  12544  2020-03-18 10:41:55    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 10:41:55    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12544  2020-03-18 10:42:56    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 10:42:56    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  13824  2020-03-18 10:43:00    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x20b0 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
Security  Audit Success  13824  2020-03-18 10:43:00    Microsoft-Windows-Security-Auditing  4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Additional Information: Caller Workstation: DESKTOP-UT5JEJD Target Account Name: Administrator Target Account Domain: DESKTOP-UT5JEJD
Security  Audit Success  13824  2020-03-18 10:43:00    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x20b0 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
Security  Audit Success  13824  2020-03-18 10:43:00    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x20b0 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
Security  Audit Success  13824  2020-03-18 10:43:00    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x20b0 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
Security  Audit Success  13824  2020-03-18 10:43:00    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x20b0 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
Security  Audit Success  13826  2020-03-18 10:43:00    Microsoft-Windows-Security-Auditing  4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x1ca4 Process Name: C:\Windows\System32\svchost.exe
Security  Audit Success  12544  2020-03-18 10:44:24    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:44:24    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 10:44:24    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:44:24    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  13824  2020-03-18 10:44:24    Microsoft-Windows-Security-Auditing  4726: A user account was deleted. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd129b Target Account: Security ID: S-1-5-21-4230960370-218822903-690480705-1001 Account Name: defaultuser0 Account Domain: DESKTOP-UT5JEJD Additional Information: Privileges -
Security  Audit Success  13824  2020-03-18 10:44:24    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:44:24    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:44:24    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:44:24    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:44:24    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:44:24    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13826  2020-03-18 10:44:24    Microsoft-Windows-Security-Auditing  4733: A member was removed from a security-enabled local group. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd129b Member: Security ID: S-1-5-21-4230960370-218822903-690480705-1001 Account Name: - Group: Security ID: S-1-5-32-545 Group Name: Users Group Domain: Builtin Additional Information: Privileges: -
Security  Audit Success  13826  2020-03-18 10:44:24    Microsoft-Windows-Security-Auditing  4729: A member was removed from a security-enabled global group. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd129b Member: Security ID: S-1-5-21-4230960370-218822903-690480705-1001 Account Name: - Group: Security ID: S-1-5-21-4230960370-218822903-690480705-513 Group Name: None Group Domain: DESKTOP-UT5JEJD Additional Information: Privileges: -
Security  Audit Success  13826  2020-03-18 10:44:24    Microsoft-Windows-Security-Auditing  4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd129b Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x8a4 Process Name: C:\Windows\System32\svchost.exe
Security  Audit Success  12544  2020-03-18 10:44:57    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 10:44:57    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  13824  2020-03-18 10:45:06    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x2be4 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
Security  Audit Success  13824  2020-03-18 10:45:06    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x2be4 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
Security  Audit Success  13824  2020-03-18 10:45:06    Microsoft-Windows-Security-Auditing  4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Additional Information: Caller Workstation: DESKTOP-UT5JEJD Target Account Name: Administrator Target Account Domain: DESKTOP-UT5JEJD
Security  Audit Success  13824  2020-03-18 10:45:06    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x2be4 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
Security  Audit Success  13824  2020-03-18 10:45:06    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x2be4 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
Security  Audit Success  13824  2020-03-18 10:45:06    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x2be4 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
Security  Audit Success  13824  2020-03-18 10:45:06    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x2be4 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
Security  Audit Success  13824  2020-03-18 10:45:10    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x2be4 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
Security  Audit Success  13824  2020-03-18 10:45:10    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x2be4 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
Security  Audit Success  13824  2020-03-18 10:45:10    Microsoft-Windows-Security-Auditing  4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Additional Information: Caller Workstation: DESKTOP-UT5JEJD Target Account Name: Administrator Target Account Domain: DESKTOP-UT5JEJD
Security  Audit Success  13824  2020-03-18 10:45:10    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x2be4 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
Security  Audit Success  13824  2020-03-18 10:45:10    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x2be4 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
Security  Audit Success  13824  2020-03-18 10:45:10    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x2be4 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
Security  Audit Success  13824  2020-03-18 10:45:10    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x2be4 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
Security  Audit Success  12544  2020-03-18 10:45:12    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 10:45:12    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Failure  12544  2020-03-18 10:45:27    Microsoft-Windows-Security-Auditing  4625: An account failed to log on. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Logon Type: 2 Account For Which Logon Failed: Security ID: S-1-0-0 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Failure Information: Failure Reason: %%2313 Status: 0xc000006d Sub Status: 0xc000006a Process Information: Caller Process ID: 0xae8 Caller Process Name: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Network Information: Workstation Name: DESKTOP-UT5JEJD Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon request fails. It is generated on the computer where access was attempted. The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network). The Process Information fields indicate which account and process on the system requested the logon. The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  13824  2020-03-18 10:45:27    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0xae8 Process Name: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
Security  Audit Success  13824  2020-03-18 10:45:59    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:45:59    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:45:59    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:45:59    Microsoft-Windows-Security-Auditing  4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Additional Information: Caller Workstation: DESKTOP-UT5JEJD Target Account Name: Administrator Target Account Domain: DESKTOP-UT5JEJD
Security  Audit Success  13824  2020-03-18 10:45:59    Microsoft-Windows-Security-Auditing  4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Additional Information: Caller Workstation: DESKTOP-UT5JEJD Target Account Name: DefaultAccount Target Account Domain: DESKTOP-UT5JEJD
Security  Audit Success  13824  2020-03-18 10:45:59    Microsoft-Windows-Security-Auditing  4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Additional Information: Caller Workstation: DESKTOP-UT5JEJD Target Account Name: Guest Target Account Domain: DESKTOP-UT5JEJD
Security  Audit Success  13824  2020-03-18 10:45:59    Microsoft-Windows-Security-Auditing  4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Additional Information: Caller Workstation: DESKTOP-UT5JEJD Target Account Name: WDAGUtilityAccount Target Account Domain: DESKTOP-UT5JEJD
Security  Audit Success  13824  2020-03-18 10:46:05    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:46:05    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:46:05    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:46:05    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:47:11    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  12544  2020-03-18 10:47:49    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 10:47:49    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12544  2020-03-18 10:47:50    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 10:47:50    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12544  2020-03-18 10:47:51    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:47:51    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 10:47:51    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:47:51    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  13568  2020-03-18 10:47:51    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\_0000000000000000.cdf-ms Handle ID: 0x4d0 Process Information: Process ID: 0x2a64 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.471_none_5f12f35059003107\TiWorker.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 10:47:51    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$.cdf-ms Handle ID: 0x544 Process Information: Process ID: 0x2a64 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.471_none_5f12f35059003107\TiWorker.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 10:47:51    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_syswow64_21ffbdd2a2dd92e0.cdf-ms Handle ID: 0x48c Process Information: Process ID: 0x2a64 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.471_none_5f12f35059003107\TiWorker.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 10:47:51    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_syswow64_macromed_flash_853cbcf10f17f618.cdf-ms Handle ID: 0x4d0 Process Information: Process ID: 0x2a64 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.471_none_5f12f35059003107\TiWorker.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 10:47:51    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_21f9a9c4a2f8b514.cdf-ms Handle ID: 0x544 Process Information: Process ID: 0x2a64 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.471_none_5f12f35059003107\TiWorker.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 10:47:51    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_macromed_flash_5ff3bc7496f0271e.cdf-ms Handle ID: 0x48c Process Information: Process ID: 0x2a64 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.471_none_5f12f35059003107\TiWorker.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 10:47:51    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\Macromed\Flash\activex.vch Handle ID: 0x4d0 Process Information: Process ID: 0x2a64 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.471_none_5f12f35059003107\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 10:47:51    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\Macromed\Flash\Flash.ocx Handle ID: 0x588 Process Information: Process ID: 0x2a64 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.471_none_5f12f35059003107\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 10:47:51    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\Macromed\Flash\FlashUtil_ActiveX.dll Handle ID: 0x4d0 Process Information: Process ID: 0x2a64 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.471_none_5f12f35059003107\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 10:47:51    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\Macromed\Flash\FlashUtil_ActiveX.exe Handle ID: 0x550 Process Information: Process ID: 0x2a64 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.471_none_5f12f35059003107\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 10:47:51    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\Macromed\Flash\activex.vch Handle ID: 0x4d8 Process Information: Process ID: 0x2a64 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.471_none_5f12f35059003107\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 10:47:51    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\Macromed\Flash\Flash.ocx Handle ID: 0x544 Process Information: Process ID: 0x2a64 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.471_none_5f12f35059003107\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 10:47:51    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\Macromed\Flash\FlashUtil_ActiveX.dll Handle ID: 0x550 Process Information: Process ID: 0x2a64 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.471_none_5f12f35059003107\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 10:47:51    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\Macromed\Flash\FlashUtil_ActiveX.exe Handle ID: 0x4d8 Process Information: Process ID: 0x2a64 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.471_none_5f12f35059003107\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13826  2020-03-18 10:47:51    Microsoft-Windows-Security-Auditing  4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x292c Process Name: C:\Windows\System32\VSSVC.exe
Security  Audit Success  13826  2020-03-18 10:47:51    Microsoft-Windows-Security-Auditing  4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x292c Process Name: C:\Windows\System32\VSSVC.exe
Security  Audit Success  13826  2020-03-18 10:47:51    Microsoft-Windows-Security-Auditing  4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x292c Process Name: C:\Windows\System32\VSSVC.exe
Security  Audit Success  13826  2020-03-18 10:47:51    Microsoft-Windows-Security-Auditing  4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x292c Process Name: C:\Windows\System32\VSSVC.exe
Security  Audit Success  13568  2020-03-18 10:48:05    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\_0000000000000000.cdf-ms Handle ID: 0x11a0 Process Information: Process ID: 0x2a64 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.471_none_5f12f35059003107\TiWorker.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 10:48:05    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$.cdf-ms Handle ID: 0x119c Process Information: Process ID: 0x2a64 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.471_none_5f12f35059003107\TiWorker.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 10:48:05    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_21f9a9c4a2f8b514.cdf-ms Handle ID: 0x9e8 Process Information: Process ID: 0x2a64 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.471_none_5f12f35059003107\TiWorker.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 10:48:05    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_wbem_06656d9fdf2f8577.cdf-ms Handle ID: 0x11a0 Process Information: Process ID: 0x2a64 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.471_none_5f12f35059003107\TiWorker.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 10:48:05    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_microsoft.net_3296b36dbe4c7fa3.cdf-ms Handle ID: 0x5fc Process Information: Process ID: 0x2a64 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.471_none_5f12f35059003107\TiWorker.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 10:48:05    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_microsoft.net_framework64_083d4e330e766c5d.cdf-ms Handle ID: 0x11a4 Process Information: Process ID: 0x2a64 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.471_none_5f12f35059003107\TiWorker.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 10:48:05    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_microsoft.net_framework64_v4.0.30319_46321ba736a30085.cdf-ms Handle ID: 0x119c Process Information: Process ID: 0x2a64 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.471_none_5f12f35059003107\TiWorker.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 10:48:05    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_microsoft.net_framework64_v4.0.30319_wpf_647a02df72a14032.cdf-ms Handle ID: 0x9e8 Process Information: Process ID: 0x2a64 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.471_none_5f12f35059003107\TiWorker.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 10:48:05    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_microsoft.net_framework64_v4.0.30319_wpf_fonts_0428e0346460ac4c.cdf-ms Handle ID: 0x11a4 Process Information: Process ID: 0x2a64 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.471_none_5f12f35059003107\TiWorker.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 10:48:05    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_microsoft.net_framework64_v4.0.30319_wpf_en-us_0242687c673a608c.cdf-ms Handle ID: 0x119c Process Information: Process ID: 0x2a64 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.471_none_5f12f35059003107\TiWorker.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 10:48:05    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_microsoft.net_framework64_v4.0.30319_nativeimages_ae465c5139d1dacc.cdf-ms Handle ID: 0x11a8 Process Information: Process ID: 0x2a64 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.471_none_5f12f35059003107\TiWorker.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 10:48:05    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_microsoft.net_framework_83386eac0379231b.cdf-ms Handle ID: 0x9e8 Process Information: Process ID: 0x2a64 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.471_none_5f12f35059003107\TiWorker.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 10:48:05    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_microsoft.net_framework_v4.0.30319_c40c7a995ddd757b.cdf-ms Handle ID: 0x119c Process Information: Process ID: 0x2a64 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.471_none_5f12f35059003107\TiWorker.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 10:48:05    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_microsoft.net_framework_v4.0.30319_wpf_bc1339ef8efa3c4c.cdf-ms Handle ID: 0x11a8 Process Information: Process ID: 0x2a64 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.471_none_5f12f35059003107\TiWorker.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 10:48:05    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_microsoft.net_framework_v4.0.30319_wpf_fonts_dc62106d96619a3c.cdf-ms Handle ID: 0x9e8 Process Information: Process ID: 0x2a64 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.471_none_5f12f35059003107\TiWorker.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 10:48:05    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_microsoft.net_framework_v4.0.30319_wpf_en-us_dc5fd125966afabc.cdf-ms Handle ID: 0x119c Process Information: Process ID: 0x2a64 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.471_none_5f12f35059003107\TiWorker.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 10:48:05    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_microsoft.net_framework_v4.0.30319_nativeimages_7f83bd6ed8241f3a.cdf-ms Handle ID: 0x11a8 Process Information: Process ID: 0x2a64 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.471_none_5f12f35059003107\TiWorker.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 10:48:05    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_inf_3f581daba4c8c835.cdf-ms Handle ID: 0x119c Process Information: Process ID: 0x2a64 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.471_none_5f12f35059003107\TiWorker.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 10:48:05    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_inf_smsvchost_4.0.0.0_13299f3c208ca635.cdf-ms Handle ID: 0x11a8 Process Information: Process ID: 0x2a64 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.471_none_5f12f35059003107\TiWorker.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 10:48:05    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_inf_smsvchost_4.0.0.0_0000_1bb3624f8498ff51.cdf-ms Handle ID: 0x5fc Process Information: Process ID: 0x2a64 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.471_none_5f12f35059003107\TiWorker.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 10:48:05    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Aspnet_perf.dll Handle ID: 0x119c Process Information: Process ID: 0x2a64 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.471_none_5f12f35059003107\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 10:48:05    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe Handle ID: 0x119c Process Information: Process ID: 0x2a64 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.471_none_5f12f35059003107\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13824  2020-03-18 10:48:54    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:48:54    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:48:54    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 10:48:54    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  12544  2020-03-18 10:49:09    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 10:49:09    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  13824  2020-03-18 10:49:16    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  12544  2020-03-18 10:49:51    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:49:51    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:49:51    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:49:51    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:49:51    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:49:51    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:49:51    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:49:51    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 10:49:51    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:49:51    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:49:51    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:49:51    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:49:51    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:49:51    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:49:51    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:49:51    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12544  2020-03-18 10:50:34    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:50:34    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 10:50:34    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:50:34    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12544  2020-03-18 10:50:53    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 10:50:53    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  13826  2020-03-18 10:50:53    Microsoft-Windows-Security-Auditing  4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x1f3c Process Name: C:\Windows\System32\SearchIndexer.exe
Security  Audit Success  12544  2020-03-18 10:51:04    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 10:51:04    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  13826  2020-03-18 10:51:04    Microsoft-Windows-Security-Auditing  4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x2b94 Process Name: C:\Windows\System32\SearchIndexer.exe
Security  Audit Success  12544  2020-03-18 10:51:06    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 10:51:06    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12544  2020-03-18 10:51:16    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:51:16    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:51:16    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:51:16    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:51:16    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:51:16    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:51:16    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:51:16    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 10:51:16    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:51:16    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:51:16    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:51:16    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:51:16    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:51:16    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:51:16    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:51:16    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12544  2020-03-18 10:51:58    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:51:58    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 10:51:58    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:51:58    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12544  2020-03-18 10:52:10    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 10:52:10    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12544  2020-03-18 10:52:41    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:52:41    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:52:41    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:52:41    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:52:41    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:52:41    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:52:41    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:52:41    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 10:52:41    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:52:41    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:52:41    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:52:41    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:52:41    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:52:41    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:52:41    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:52:41    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12544  2020-03-18 10:53:03    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 10:53:03    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12544  2020-03-18 10:53:23    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:53:23    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 10:53:23    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:53:23    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12544  2020-03-18 10:54:06    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:54:06    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:54:06    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:54:06    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:54:06    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:54:06    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:54:06    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:54:06    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 10:54:06    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:54:06    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:54:06    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:54:06    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:54:06    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:54:06    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:54:06    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:54:06    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12544  2020-03-18 10:54:48    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 10:54:48    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 10:54:48    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 10:54:48    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12544  2020-03-18 10:55:01    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 10:55:01    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  13824  2020-03-18 10:57:45    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x17fc Process Name: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
Security  Audit Success  12544  2020-03-18 10:58:59    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 10:58:59    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12544  2020-03-18 11:02:48    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 11:02:48    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  13824  2020-03-18 11:02:48    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 11:02:48    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 11:02:48    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 11:02:48    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 11:02:48    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 11:02:48    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 11:02:48    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 11:02:48    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 11:02:48    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 11:02:48    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 11:02:48    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 11:02:48    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 11:02:48    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 11:02:48    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 11:02:48    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 11:02:48    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 11:02:48    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 11:02:48    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 11:02:49    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 11:02:49    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 11:02:49    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 11:02:49    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 11:02:49    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 11:02:49    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 11:02:49    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 11:02:49    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  12544  2020-03-18 11:04:33    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 11:04:33    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12544  2020-03-18 11:05:10    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12545  2020-03-18 11:05:10    Microsoft-Windows-Security-Auditing  4647: User initiated logoff: Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf This event is generated when a logoff is initiated. No further user-initiated activity can occur. This event can be interpreted as a logoff event.
Security  Audit Success  12548  2020-03-18 11:05:10    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  13824  2020-03-18 11:05:10    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-500 Account Name: Administrator Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0xb20 Process Name: C:\Windows\System32\svchost.exe
Security  Audit Success  13824  2020-03-18 11:05:10    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-503 Account Name: DefaultAccount Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0xb20 Process Name: C:\Windows\System32\svchost.exe
Security  Audit Success  13824  2020-03-18 11:05:10    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0xb20 Process Name: C:\Windows\System32\svchost.exe
Security  Audit Success  13824  2020-03-18 11:05:10    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0xb20 Process Name: C:\Windows\System32\svchost.exe
Security  Audit Success  13824  2020-03-18 11:05:10    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-504 Account Name: WDAGUtilityAccount Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0xb20 Process Name: C:\Windows\System32\svchost.exe
Security  Audit Success  12544  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  13568  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\_0000000000000000.cdf-ms Handle ID: 0x11d8 Process Information: Process ID: 0x2078 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.471_none_5f12f35059003107\TiWorker.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$.cdf-ms Handle ID: 0x11d4 Process Information: Process ID: 0x2078 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.471_none_5f12f35059003107\TiWorker.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_21f9a9c4a2f8b514.cdf-ms Handle ID: 0x11d0 Process Information: Process ID: 0x2078 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.471_none_5f12f35059003107\TiWorker.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_wbem_06656d9fdf2f8577.cdf-ms Handle ID: 0x11d4 Process Information: Process ID: 0x2078 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.471_none_5f12f35059003107\TiWorker.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_microsoft.net_3296b36dbe4c7fa3.cdf-ms Handle ID: 0x11d0 Process Information: Process ID: 0x2078 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.471_none_5f12f35059003107\TiWorker.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_microsoft.net_framework64_083d4e330e766c5d.cdf-ms Handle ID: 0x1194 Process Information: Process ID: 0x2078 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.471_none_5f12f35059003107\TiWorker.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_microsoft.net_framework64_v4.0.30319_46321ba736a30085.cdf-ms Handle ID: 0x11d4 Process Information: Process ID: 0x2078 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.471_none_5f12f35059003107\TiWorker.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_microsoft.net_framework64_v4.0.30319_wpf_647a02df72a14032.cdf-ms Handle ID: 0x11d0 Process Information: Process ID: 0x2078 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.471_none_5f12f35059003107\TiWorker.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_microsoft.net_framework64_v4.0.30319_wpf_fonts_0428e0346460ac4c.cdf-ms Handle ID: 0xb2c Process Information: Process ID: 0x2078 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.471_none_5f12f35059003107\TiWorker.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_microsoft.net_framework64_v4.0.30319_wpf_en-us_0242687c673a608c.cdf-ms Handle ID: 0x1194 Process Information: Process ID: 0x2078 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.471_none_5f12f35059003107\TiWorker.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_microsoft.net_framework64_v4.0.30319_nativeimages_ae465c5139d1dacc.cdf-ms Handle ID: 0x119c Process Information: Process ID: 0x2078 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.471_none_5f12f35059003107\TiWorker.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_microsoft.net_framework_83386eac0379231b.cdf-ms Handle ID: 0xb2c Process Information: Process ID: 0x2078 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.471_none_5f12f35059003107\TiWorker.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_microsoft.net_framework_v4.0.30319_c40c7a995ddd757b.cdf-ms Handle ID: 0x1194 Process Information: Process ID: 0x2078 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.471_none_5f12f35059003107\TiWorker.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_microsoft.net_framework_v4.0.30319_wpf_bc1339ef8efa3c4c.cdf-ms Handle ID: 0x119c Process Information: Process ID: 0x2078 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.471_none_5f12f35059003107\TiWorker.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_microsoft.net_framework_v4.0.30319_wpf_fonts_dc62106d96619a3c.cdf-ms Handle ID: 0xb2c Process Information: Process ID: 0x2078 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.471_none_5f12f35059003107\TiWorker.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_microsoft.net_framework_v4.0.30319_wpf_en-us_dc5fd125966afabc.cdf-ms Handle ID: 0x1194 Process Information: Process ID: 0x2078 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.471_none_5f12f35059003107\TiWorker.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_microsoft.net_framework_v4.0.30319_nativeimages_7f83bd6ed8241f3a.cdf-ms Handle ID: 0x119c Process Information: Process ID: 0x2078 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.471_none_5f12f35059003107\TiWorker.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_inf_3f581daba4c8c835.cdf-ms Handle ID: 0xb2c Process Information: Process ID: 0x2078 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.471_none_5f12f35059003107\TiWorker.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_inf_smsvchost_4.0.0.0_13299f3c208ca635.cdf-ms Handle ID: 0x1194 Process Information: Process ID: 0x2078 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.471_none_5f12f35059003107\TiWorker.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_inf_smsvchost_4.0.0.0_0000_1bb3624f8498ff51.cdf-ms Handle ID: 0x119c Process Information: Process ID: 0x2078 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.471_none_5f12f35059003107\TiWorker.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Aspnet_perf.dll Handle ID: 0xb2c Process Information: Process ID: 0x2078 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.471_none_5f12f35059003107\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe Handle ID: 0xb2c Process Information: Process ID: 0x2078 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.471_none_5f12f35059003107\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\_0000000000000000.cdf-ms Handle ID: 0x60 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_21f9a9c4a2f8b514.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_wbem_06656d9fdf2f8577.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_microsoft.net_3296b36dbe4c7fa3.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_microsoft.net_framework64_083d4e330e766c5d.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_microsoft.net_framework64_v4.0.30319_46321ba736a30085.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_microsoft.net_framework64_v4.0.30319_wpf_647a02df72a14032.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_microsoft.net_framework64_v4.0.30319_wpf_fonts_0428e0346460ac4c.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_microsoft.net_framework64_v4.0.30319_wpf_en-us_0242687c673a608c.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_microsoft.net_framework64_v4.0.30319_nativeimages_ae465c5139d1dacc.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_microsoft.net_framework_83386eac0379231b.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_microsoft.net_framework_v4.0.30319_c40c7a995ddd757b.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_microsoft.net_framework_v4.0.30319_wpf_bc1339ef8efa3c4c.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_microsoft.net_framework_v4.0.30319_wpf_fonts_dc62106d96619a3c.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_microsoft.net_framework_v4.0.30319_wpf_en-us_dc5fd125966afabc.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_microsoft.net_framework_v4.0.30319_nativeimages_7f83bd6ed8241f3a.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_inf_3f581daba4c8c835.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_inf_smsvchost_4.0.0.0_13299f3c208ca635.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_inf_smsvchost_4.0.0.0_0000_1bb3624f8498ff51.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Aspnet_perf.dll Handle ID: 0x74 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe Handle ID: 0x68 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll Handle ID: 0x68 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework\v4.0.30319\clrjit.dll Handle ID: 0x68 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordacwks.dll Handle ID: 0x7c Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll Handle ID: 0x7c Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll Handle ID: 0x7c Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll Handle ID: 0x7c Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework\v4.0.30319\peverify.dll Handle ID: 0x68 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceMonikerSupport.dll Handle ID: 0x68 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMDiagnostics.dll Handle ID: 0x60 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe Handle ID: 0x60 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework\v4.0.30319\SOS.dll Handle ID: 0x60 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Activities.dll Handle ID: 0x60 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Activities.Presentation.dll Handle ID: 0x60 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Core.dll Handle ID: 0x60 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Data.dll Handle ID: 0x60 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.dll Handle ID: 0x60 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.IdentityModel.dll Handle ID: 0x68 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.IdentityModel.Services.dll Handle ID: 0x68 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Net.Sockets.dll Handle ID: 0x68 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Runtime.Serialization.dll Handle ID: 0x68 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.ServiceModel.Channels.dll Handle ID: 0x68 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.ServiceModel.Discovery.dll Handle ID: 0x68 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.ServiceModel.dll Handle ID: 0x60 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.ServiceModel.Internals.dll Handle ID: 0x68 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.ServiceModel.WasHosting.dll Handle ID: 0x68 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Web.ApplicationServices.dll Handle ID: 0x68 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Web.DataVisualization.dll Handle ID: 0x68 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Web.dll Handle ID: 0x68 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Web.Extensions.dll Handle ID: 0x68 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Windows.Forms.DataVisualization.dll Handle ID: 0x68 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Windows.Forms.dll Handle ID: 0x68 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Workflow.Activities.dll Handle ID: 0x68 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Workflow.ComponentModel.dll Handle ID: 0x68 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Workflow.Runtime.dll Handle ID: 0x68 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Xaml.dll Handle ID: 0x68 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework\v4.0.30319\webengine.dll Handle ID: 0x68 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework\v4.0.30319\webengine4.dll Handle ID: 0x68 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework\v4.0.30319\WorkflowServiceHostPerformanceCounters.dll Handle ID: 0x68 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework\v4.0.30319\NativeImages\mscorlib.ni.dll Handle ID: 0x68 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\PenIMC.dll Handle ID: 0x7c Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\PenIMC2_v0400.dll Handle ID: 0x7c Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\PenIMC_v0400.dll Handle ID: 0x7c Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\PresentationCore.dll Handle ID: 0x7c Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\PresentationFramework-SystemData.dll Handle ID: 0x7c Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\PresentationFramework.dll Handle ID: 0x7c Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\PresentationHost_v0400.dll Handle ID: 0x7c Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\PresentationNative_v0400.dll Handle ID: 0x7c Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\ReachFramework.dll Handle ID: 0x7c Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\System.Printing.dll Handle ID: 0x7c Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\System.Windows.Controls.Ribbon.dll Handle ID: 0x7c Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\UIAutomationClient.dll Handle ID: 0x7c Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\UIAutomationClientsideProviders.dll Handle ID: 0x7c Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\UIAutomationProvider.dll Handle ID: 0x7c Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\UIAutomationTypes.dll Handle ID: 0x70 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\WindowsBase.dll Handle ID: 0x7c Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\WindowsFormsIntegration.dll Handle ID: 0x7c Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\wpfgfx_v0400.dll Handle ID: 0x7c Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\en-US\PresentationHost_v0400.dll.mui Handle ID: 0x7c Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Aspnet_perf.dll Handle ID: 0x74 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe Handle ID: 0x7c Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll Handle ID: 0x7c Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clrjit.dll Handle ID: 0x7c Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\compatjit.dll Handle ID: 0x7c Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordacwks.dll Handle ID: 0x7c Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll Handle ID: 0x7c Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll Handle ID: 0x7c Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll Handle ID: 0x7c Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\peverify.dll Handle ID: 0x60 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceMonikerSupport.dll Handle ID: 0x60 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMDiagnostics.dll Handle ID: 0x60 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe Handle ID: 0x60 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SOS.dll Handle ID: 0x60 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Activities.dll Handle ID: 0x60 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Activities.Presentation.dll Handle ID: 0x60 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Core.dll Handle ID: 0x60 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Data.dll Handle ID: 0x60 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.dll Handle ID: 0x60 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.IdentityModel.dll Handle ID: 0x60 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.IdentityModel.Services.dll Handle ID: 0x60 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Net.Sockets.dll Handle ID: 0x60 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Runtime.Serialization.dll Handle ID: 0x60 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.ServiceModel.Channels.dll Handle ID: 0x60 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.ServiceModel.Discovery.dll Handle ID: 0x60 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.ServiceModel.dll Handle ID: 0x60 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.ServiceModel.Internals.dll Handle ID: 0x60 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.ServiceModel.WasHosting.dll Handle ID: 0x60 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Web.ApplicationServices.dll Handle ID: 0x60 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Web.DataVisualization.dll Handle ID: 0x60 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Web.dll Handle ID: 0x60 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Web.Extensions.dll Handle ID: 0x60 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Windows.Forms.DataVisualization.dll Handle ID: 0x60 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Windows.Forms.dll Handle ID: 0x60 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Workflow.Activities.dll Handle ID: 0x60 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Workflow.ComponentModel.dll Handle ID: 0x60 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Workflow.Runtime.dll Handle ID: 0x60 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Xaml.dll Handle ID: 0x60 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\webengine.dll Handle ID: 0x60 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\webengine4.dll Handle ID: 0x60 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WorkflowServiceHostPerformanceCounters.dll Handle ID: 0x60 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\NativeImages\mscorlib.ni.dll Handle ID: 0x60 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\PenIMC.dll Handle ID: 0x7c Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\PenIMC2_v0400.dll Handle ID: 0x7c Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\PenIMC_v0400.dll Handle ID: 0x70 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\PresentationCore.dll Handle ID: 0x7c Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\PresentationFramework-SystemData.dll Handle ID: 0x7c Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\PresentationFramework.dll Handle ID: 0x7c Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\PresentationHost_v0400.dll Handle ID: 0x7c Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\PresentationNative_v0400.dll Handle ID: 0x7c Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\ReachFramework.dll Handle ID: 0x7c Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\System.Printing.dll Handle ID: 0x7c Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\System.Windows.Controls.Ribbon.dll Handle ID: 0x7c Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\UIAutomationClient.dll Handle ID: 0x7c Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\UIAutomationClientsideProviders.dll Handle ID: 0x7c Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\UIAutomationProvider.dll Handle ID: 0x7c Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\UIAutomationTypes.dll Handle ID: 0x7c Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WindowsBase.dll Handle ID: 0x7c Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WindowsFormsIntegration.dll Handle ID: 0x7c Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\wpfgfx_v0400.dll Handle ID: 0x74 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\en-US\PresentationHost_v0400.dll.mui Handle ID: 0x74 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13826  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x2618 Process Name: C:\Windows\System32\VSSVC.exe
Security  Audit Success  13826  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x2618 Process Name: C:\Windows\System32\VSSVC.exe
Security  Audit Success  13826  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x2618 Process Name: C:\Windows\System32\VSSVC.exe
Security  Audit Success  13826  2020-03-18 11:05:12    Microsoft-Windows-Security-Auditing  4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x2618 Process Name: C:\Windows\System32\VSSVC.exe
Security  Audit Success  103  2020-03-18 11:05:14    Microsoft-Windows-Eventlog  1100: The event logging service has shut down.
Security  Audit Success  13312  2020-03-18 11:05:26    Microsoft-Windows-Security-Auditing  4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x78 New Process Name: ????-??6?4????0--?0??????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x4 Creator Process Name: ??????? Process Command Line: ????0--?0??????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
Security  Audit Success  13312  2020-03-18 11:05:26    Microsoft-Windows-Security-Auditing  4696: A primary token was assigned to process. Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Process Information: Process ID: 0x4 Process Name: ? Target Process: Target Process ID: 0x78 Target Process Name: Registry New Token Information: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x3e7
Security  Audit Success  13312  2020-03-18 11:05:26    Microsoft-Windows-Security-Auditing  4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1b0 New Process Name: ??????????????-??6?4????0--?0??????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x4 Creator Process Name: ??????? Process Command Line: ????0--?0??????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
Security  Audit Success  13312  2020-03-18 11:05:26    Microsoft-Windows-Security-Auditing  4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1d0 New Process Name: ???????????????e??? ????????? ???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1b0 Creator Process Name: ????????????????????4 Process Command Line: ????0--?0????????????????????4 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
Security  Audit Success  13573  2020-03-18 11:05:26    Microsoft-Windows-Security-Auditing  4826: Boot Configuration Data loaded. Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 General Settings: Load Options: - Advanced Options: %%1843 Configuration Access Policy: %%1846 System Event Logging: %%1843 Kernel Debugging: %%1843 VSM Launch Type: %%1848 Signature Settings: Test Signing: %%1843 Flight Signing: %%1843 Disable Integrity Checks: %%1843 HyperVisor Settings: HyperVisor Load Options: - HyperVisor Launch Type: %%1848 HyperVisor Debugging: %%1843
Security  Audit Success  13312  2020-03-18 11:05:27    Microsoft-Windows-Security-Auditing  4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x238 New Process Name: ??????????????-??6??0????0--?0????????????????????4? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1b0 Creator Process Name: ????????????????????4? Process Command Line: ????0--?0????????????????????4? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
Security  Audit Success  12288  2020-03-18 11:05:34    Microsoft-Windows-Security-Auditing  4608: Windows is starting up. This event is logged when LSASS.EXE starts and the auditing subsystem is initialized.
Security  Audit Success  12544  2020-03-18 11:05:34    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 0 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: - New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4 Process Name: ? Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: - Authentication Package: - Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:05:34    Microsoft-Windows-Security-Auditing  4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: UMFD-0 Account Domain: Font Driver Host Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x2d4 Process Name: C:\Windows\System32\wininit.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
Security  Audit Success  12544  2020-03-18 11:05:34    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1842 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-96-0-0 Account Name: UMFD-0 Account Domain: Font Driver Host Logon ID: 0x10095 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2d4 Process Name: C:\Windows\System32\wininit.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:05:34    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x31c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:05:34    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x31c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:05:34    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x31c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:05:34    Microsoft-Windows-Security-Auditing  4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: UMFD-1 Account Domain: Font Driver Host Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x374 Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
Security  Audit Success  12544  2020-03-18 11:05:34    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1842 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-96-0-1 Account Name: UMFD-1 Account Domain: Font Driver Host Logon ID: 0x1068a Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x374 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:05:34    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x31c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:05:34    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x31c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:05:34    Microsoft-Windows-Security-Auditing  4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DWM-1 Account Domain: Window Manager Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x374 Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
Security  Audit Success  12544  2020-03-18 11:05:34    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1842 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x195b0 Linked Logon ID: 0x1960b Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x374 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:05:34    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1842 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x1960b Linked Logon ID: 0x195b0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x374 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:05:34    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x31c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:05:34    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x31c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:05:34    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x31c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:05:34    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x31c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:05:34    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x31c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:05:34    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x31c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:05:34    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x31c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:05:34    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x31c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:05:34    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x31c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:05:34    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x31c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 11:05:34    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 11:05:34    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 11:05:34    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 11:05:34    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e4 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 11:05:34    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 11:05:34    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x195b0 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 11:05:34    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x1960b Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege
Security  Audit Success  12548  2020-03-18 11:05:34    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 11:05:34    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 11:05:34    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 11:05:34    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 11:05:34    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 11:05:34    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 11:05:34    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 11:05:34    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 11:05:34    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 11:05:34    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  13312  2020-03-18 11:05:34    Microsoft-Windows-Security-Auditing  4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x27c New Process Name: ??????????????e??? ????????? ???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x238 Creator Process Name: ????????????????????4 Process Command Line: ????0--?0????????????????????4 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
Security  Audit Success  13312  2020-03-18 11:05:34    Microsoft-Windows-Security-Auditing  4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2cc New Process Name: ??????????????-??6??0????0--?0????????????????????4? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1b0 Creator Process Name: ????????????????????4? Process Command Line: ????0--?0????????????????????4? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
Security  Audit Success  13312  2020-03-18 11:05:34    Microsoft-Windows-Security-Auditing  4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2d4 New Process Name: ???????????????e??? ????????? ???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x238 Creator Process Name: ????????????????????4 Process Command Line: ????0--?0????????????????????4 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
Security  Audit Success  13312  2020-03-18 11:05:34    Microsoft-Windows-Security-Auditing  4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2e4 New Process Name: ??????????????e??? ????????? ???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x2cc Creator Process Name: ????????????????????4 Process Command Line: ????0--?0????????????????????4 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
Security  Audit Success  13312  2020-03-18 11:05:34    Microsoft-Windows-Security-Auditing  4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x31c New Process Name: ????????????????-??6??4????0--?0???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x2d4 Creator Process Name: ???????????????e?????? Process Command Line: ????0--?0???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
Security  Audit Success  13312  2020-03-18 11:05:34    Microsoft-Windows-Security-Auditing  4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x324 New Process Name: ??????????????e??? ????????? ???????????????????????4? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x2d4 Creator Process Name: ???????????????e?????? Process Command Line: ????0--?0???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
Security  Audit Success  13568  2020-03-18 11:05:34    Microsoft-Windows-Security-Auditing  4902: The Per-user audit policy table was created. Number of Elements: 0 Policy ID: 0xfed9
Security  Audit Success  12292  2020-03-18 11:05:35    Microsoft-Windows-Security-Auditing  5033: The Windows Firewall Driver started successfully.
Security  Audit Success  12292  2020-03-18 11:05:35    Microsoft-Windows-Security-Auditing  5024: The Windows Firewall service started successfully.
Security  Audit Success  12544  2020-03-18 11:05:35    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x31c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:05:35    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x31c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:05:35    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x31c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:05:35    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x31c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:05:35    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x31c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:05:35    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x31c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:05:35    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x31c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:05:35    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x31c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:05:35    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x31c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:05:35    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x31c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:05:35    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x31c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:05:35    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x31c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:05:35    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x31c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:05:35    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x31c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 11:05:35    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 11:05:35    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 11:05:35    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 11:05:35    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 11:05:35    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 11:05:35    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 11:05:35    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 11:05:35    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 11:05:35    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 11:05:35    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 11:05:35    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 11:05:35    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 11:05:35    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 11:05:35    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  13826  2020-03-18 11:05:35    Microsoft-Windows-Security-Auditing  4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-20 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e4 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0xed4 Process Name: C:\Windows\System32\svchost.exe
Security  Audit Success  13826  2020-03-18 11:05:35    Microsoft-Windows-Security-Auditing  4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0xef4 Process Name: C:\Windows\System32\svchost.exe
Security  Audit Success  12544  2020-03-18 11:05:36    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x31c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 11:05:36    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12544  2020-03-18 11:05:38    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x31c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 11:05:38    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12544  2020-03-18 11:06:20    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x31c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 11:06:20    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  13824  2020-03-18 11:06:20    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x520 Process Name: C:\Windows\System32\LogonUI.exe
Security  Audit Success  12290  2020-03-18 11:06:46    Microsoft-Windows-Security-Auditing  5061: Cryptographic operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: {9958B427-41A6-494A-83E0-B395A2CFCE0B} Key Type: %%2500 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
Security  Audit Success  12290  2020-03-18 11:06:46    Microsoft-Windows-Security-Auditing  5061: Cryptographic operation. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x76f46 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: %%2500 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
Security  Audit Success  12290  2020-03-18 11:06:46    Microsoft-Windows-Security-Auditing  5061: Cryptographic operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: %%2500 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
Security  Audit Success  12292  2020-03-18 11:06:46    Microsoft-Windows-Security-Auditing  5058: Key file operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Process Information: Process ID: 6880 Process Creation Time: 2020-03-18T03:06:20.907705000Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: {9958B427-41A6-494A-83E0-B395A2CFCE0B} Key Type: %%2500 Key File Operation Information: File Path: C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\e616b71df416cc5b9b621e575917310d_7fbcc963-8e43-4455-80cd-825694131a80 Operation: %%2458 Return Code: 0x0
Security  Audit Success  12292  2020-03-18 11:06:46    Microsoft-Windows-Security-Auditing  5058: Key file operation. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x76f46 Process Information: Process ID: 1740 Process Creation Time: 2020-03-18T03:06:46.259601800Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: Microsoft Connected Devices Platform device certificate Key Type: %%2500 Key File Operation Information: File Path: C:\Users\redblue\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_7fbcc963-8e43-4455-80cd-825694131a80 Operation: %%2458 Return Code: 0x0
Security  Audit Success  12292  2020-03-18 11:06:46    Microsoft-Windows-Security-Auditing  5059: Key migration operation. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x76f46 Process Information: Process ID: 1740 Process Creation Time: 2020-03-18T03:06:46.259601800Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: %%2500 Additional Information: Operation: %%2464 Return Code: 0x0
Security  Audit Success  12292  2020-03-18 11:06:46    Microsoft-Windows-Security-Auditing  5058: Key file operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Process Information: Process ID: 6288 Process Creation Time: 2020-03-18T03:06:46.386464400Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: Microsoft Connected Devices Platform device certificate Key Type: %%2500 Key File Operation Information: File Path: C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_7fbcc963-8e43-4455-80cd-825694131a80 Operation: %%2458 Return Code: 0x0
Security  Audit Success  12292  2020-03-18 11:06:46    Microsoft-Windows-Security-Auditing  5059: Key migration operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Process Information: Process ID: 6288 Process Creation Time: 2020-03-18T03:06:46.386464400Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: %%2500 Additional Information: Operation: %%2464 Return Code: 0x0
Security  Audit Success  12544  2020-03-18 11:06:46    Microsoft-Windows-Security-Auditing  4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xb98 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: 127.0.0.1 Port: 0 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
Security  Audit Success  12544  2020-03-18 11:06:46    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x76f11 Linked Logon ID: 0x76f46 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xb98 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: DESKTOP-UT5JEJD Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:06:46    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x76f46 Linked Logon ID: 0x76f11 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xb98 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: DESKTOP-UT5JEJD Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:06:46    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x31c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 11:06:46    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x76f11 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 11:06:46    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  13824  2020-03-18 11:06:46    Microsoft-Windows-Security-Auditing  5382: Vault credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 This event occurs when a user reads a stored vault credential.
Security  Audit Success  13826  2020-03-18 11:06:46    Microsoft-Windows-Security-Auditing  4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x8f4 Process Name: C:\Windows\System32\svchost.exe
Security  Audit Success  12544  2020-03-18 11:06:47    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x31c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 11:06:47    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  13826  2020-03-18 11:06:47    Microsoft-Windows-Security-Auditing  4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x7ec Process Name: C:\Windows\System32\SearchIndexer.exe
Security  Audit Success  13824  2020-03-18 11:06:56    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1524 Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe
Security  Audit Success  13824  2020-03-18 11:06:56    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1524 Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe
Security  Audit Success  12544  2020-03-18 11:06:58    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x31c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 11:06:58    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  13824  2020-03-18 11:06:58    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x76f46 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 11:06:59    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x76f46 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 11:07:01    Microsoft-Windows-Security-Auditing  4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x76f46 Additional Information: Caller Workstation: DESKTOP-UT5JEJD Target Account Name: Administrator Target Account Domain: DESKTOP-UT5JEJD
Security  Audit Success  13824  2020-03-18 11:07:01    Microsoft-Windows-Security-Auditing  4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x76f46 Additional Information: Caller Workstation: DESKTOP-UT5JEJD Target Account Name: DefaultAccount Target Account Domain: DESKTOP-UT5JEJD
Security  Audit Success  13824  2020-03-18 11:07:01    Microsoft-Windows-Security-Auditing  4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x76f46 Additional Information: Caller Workstation: DESKTOP-UT5JEJD Target Account Name: Guest Target Account Domain: DESKTOP-UT5JEJD
Security  Audit Success  13824  2020-03-18 11:07:01    Microsoft-Windows-Security-Auditing  4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x76f46 Additional Information: Caller Workstation: DESKTOP-UT5JEJD Target Account Name: WDAGUtilityAccount Target Account Domain: DESKTOP-UT5JEJD
Security  Audit Success  12544  2020-03-18 11:07:02    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x31c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 11:07:02    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  13824  2020-03-18 11:07:02    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x76f46 User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x2170 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
Security  Audit Success  13824  2020-03-18 11:07:02    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x76f46 User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x2170 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
Security  Audit Success  13824  2020-03-18 11:07:02    Microsoft-Windows-Security-Auditing  4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x76f46 Additional Information: Caller Workstation: DESKTOP-UT5JEJD Target Account Name: Administrator Target Account Domain: DESKTOP-UT5JEJD
Security  Audit Success  13824  2020-03-18 11:07:02    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x76f46 User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x2170 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
Security  Audit Success  13824  2020-03-18 11:07:02    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x76f46 User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x2170 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
Security  Audit Success  13824  2020-03-18 11:07:02    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x76f46 User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x2170 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
Security  Audit Success  13824  2020-03-18 11:07:02    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x76f46 User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x2170 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
Security  Audit Success  13824  2020-03-18 11:07:02    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 11:07:02    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 11:07:02    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 11:07:02    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x76f46 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 11:07:02    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x76f46 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 11:07:02    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x76f46 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  12544  2020-03-18 11:07:06    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x31c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 11:07:06    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12544  2020-03-18 11:07:16    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x31c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 11:07:16    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12544  2020-03-18 11:07:23    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x31c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 11:07:23    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12544  2020-03-18 11:07:31    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x31c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:07:31    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x31c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 11:07:31    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 11:07:31    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12544  2020-03-18 11:07:38    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x31c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 11:07:38    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12544  2020-03-18 11:07:45    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x31c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 11:07:45    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  13826  2020-03-18 11:07:49    Microsoft-Windows-Security-Auditing  4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x29b4 Process Name: C:\Windows\System32\svchost.exe
Security  Audit Success  12544  2020-03-18 11:07:50    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x31c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 11:07:50    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12544  2020-03-18 11:08:20    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x31c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 11:08:20    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12544  2020-03-18 11:08:21    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x31c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:08:21    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x31c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:08:21    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x31c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 11:08:21    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 11:08:21    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 11:08:21    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  13824  2020-03-18 11:10:39    Microsoft-Windows-Security-Auditing  4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x76f46 Additional Information: Caller Workstation: DESKTOP-UT5JEJD Target Account Name: Administrator Target Account Domain: DESKTOP-UT5JEJD
Security  Audit Success  13824  2020-03-18 11:10:39    Microsoft-Windows-Security-Auditing  4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x76f46 Additional Information: Caller Workstation: DESKTOP-UT5JEJD Target Account Name: DefaultAccount Target Account Domain: DESKTOP-UT5JEJD
Security  Audit Success  13824  2020-03-18 11:10:39    Microsoft-Windows-Security-Auditing  4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x76f46 Additional Information: Caller Workstation: DESKTOP-UT5JEJD Target Account Name: Guest Target Account Domain: DESKTOP-UT5JEJD
Security  Audit Success  13824  2020-03-18 11:10:39    Microsoft-Windows-Security-Auditing  4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x76f46 Additional Information: Caller Workstation: DESKTOP-UT5JEJD Target Account Name: WDAGUtilityAccount Target Account Domain: DESKTOP-UT5JEJD
Security  Audit Success  12544  2020-03-18 11:10:51    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x31c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 11:10:51    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12545  2020-03-18 11:10:55    Microsoft-Windows-Security-Auditing  4647: User initiated logoff: Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x76f46 This event is generated when a logoff is initiated. No further user-initiated activity can occur. This event can be interpreted as a logoff event.
Security  Audit Success  13824  2020-03-18 11:10:55    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-500 Account Name: Administrator Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0xb98 Process Name: C:\Windows\System32\svchost.exe
Security  Audit Success  13824  2020-03-18 11:10:55    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-503 Account Name: DefaultAccount Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0xb98 Process Name: C:\Windows\System32\svchost.exe
Security  Audit Success  13824  2020-03-18 11:10:55    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0xb98 Process Name: C:\Windows\System32\svchost.exe
Security  Audit Success  13824  2020-03-18 11:10:55    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0xb98 Process Name: C:\Windows\System32\svchost.exe
Security  Audit Success  13824  2020-03-18 11:10:55    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-504 Account Name: WDAGUtilityAccount Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0xb98 Process Name: C:\Windows\System32\svchost.exe
Security  Audit Success  103  2020-03-18 11:10:56    Microsoft-Windows-Eventlog  1100: The event logging service has shut down.
Security  Audit Success  13312  2020-03-18 11:13:04    Microsoft-Windows-Security-Auditing  4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x78 New Process Name: ????-??6?4????0--?0??????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x4 Creator Process Name: ??????? Process Command Line: ????0--?0??????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
Security  Audit Success  13312  2020-03-18 11:13:04    Microsoft-Windows-Security-Auditing  4696: A primary token was assigned to process. Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Process Information: Process ID: 0x4 Process Name: ? Target Process: Target Process ID: 0x78 Target Process Name: Registry New Token Information: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x3e7
Security  Audit Success  13312  2020-03-18 11:13:04    Microsoft-Windows-Security-Auditing  4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1b0 New Process Name: ??????????????-??6?4????0--?0??????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x4 Creator Process Name: ??????? Process Command Line: ????0--?0??????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
Security  Audit Success  13312  2020-03-18 11:13:04    Microsoft-Windows-Security-Auditing  4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1d0 New Process Name: ???????????????e??? ????????? ???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1b0 Creator Process Name: ????????????????????4 Process Command Line: ????0--?0????????????????????4 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
Security  Audit Success  13573  2020-03-18 11:13:04    Microsoft-Windows-Security-Auditing  4826: Boot Configuration Data loaded. Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 General Settings: Load Options: - Advanced Options: %%1843 Configuration Access Policy: %%1846 System Event Logging: %%1843 Kernel Debugging: %%1843 VSM Launch Type: %%1848 Signature Settings: Test Signing: %%1843 Flight Signing: %%1843 Disable Integrity Checks: %%1843 HyperVisor Settings: HyperVisor Load Options: - HyperVisor Launch Type: %%1848 HyperVisor Debugging: %%1843
Security  Audit Success  13312  2020-03-18 11:13:05    Microsoft-Windows-Security-Auditing  4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x238 New Process Name: ??????????????-??6??0????0--?0????????????????????4? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1b0 Creator Process Name: ????????????????????4? Process Command Line: ????0--?0????????????????????4? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
Security  Audit Success  13312  2020-03-18 11:13:10    Microsoft-Windows-Security-Auditing  4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x274 New Process Name: ??????????????e??? ????????? ???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x238 Creator Process Name: ????????????????????4 Process Command Line: ????0--?0????????????????????4 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
Security  Audit Success  12288  2020-03-18 11:13:11    Microsoft-Windows-Security-Auditing  4608: Windows is starting up. This event is logged when LSASS.EXE starts and the auditing subsystem is initialized.
Security  Audit Success  12292  2020-03-18 11:13:11    Microsoft-Windows-Security-Auditing  5033: The Windows Firewall Driver started successfully.
Security  Audit Success  12544  2020-03-18 11:13:11    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 0 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: - New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4 Process Name: ? Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: - Authentication Package: - Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:13:11    Microsoft-Windows-Security-Auditing  4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: UMFD-0 Account Domain: Font Driver Host Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x2cc Process Name: C:\Windows\System32\wininit.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
Security  Audit Success  12544  2020-03-18 11:13:11    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:13:11    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1842 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-96-0-0 Account Name: UMFD-0 Account Domain: Font Driver Host Logon ID: 0xfed5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2cc Process Name: C:\Windows\System32\wininit.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:13:11    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:13:11    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:13:11    Microsoft-Windows-Security-Auditing  4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: UMFD-1 Account Domain: Font Driver Host Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x37c Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
Security  Audit Success  12544  2020-03-18 11:13:11    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1842 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-96-0-1 Account Name: UMFD-1 Account Domain: Font Driver Host Logon ID: 0x10951 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x37c Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:13:11    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:13:11    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:13:11    Microsoft-Windows-Security-Auditing  4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DWM-1 Account Domain: Window Manager Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x37c Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
Security  Audit Success  12544  2020-03-18 11:13:11    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1842 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x16a2f Linked Logon ID: 0x16a76 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x37c Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:13:11    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1842 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x16a76 Linked Logon ID: 0x16a2f Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x37c Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:13:11    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:13:11    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:13:11    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:13:11    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:13:11    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:13:11    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:13:11    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:13:11    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:13:11    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:13:11    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:13:11    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:13:11    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:13:11    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 11:13:11    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 11:13:11    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 11:13:11    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 11:13:11    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e4 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 11:13:11    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 11:13:11    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x16a2f Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 11:13:11    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x16a76 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege
Security  Audit Success  12548  2020-03-18 11:13:11    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 11:13:11    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 11:13:11    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 11:13:11    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 11:13:11    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 11:13:11    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 11:13:11    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 11:13:11    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 11:13:11    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 11:13:11    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 11:13:11    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 11:13:11    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 11:13:11    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  13312  2020-03-18 11:13:11    Microsoft-Windows-Security-Auditing  4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2c4 New Process Name: ??????????????-??6??0????0--?0????????????????????4? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1b0 Creator Process Name: ????????????????????4? Process Command Line: ????0--?0????????????????????4? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
Security  Audit Success  13312  2020-03-18 11:13:11    Microsoft-Windows-Security-Auditing  4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2cc New Process Name: ???????????????e??? ????????? ???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x238 Creator Process Name: ????????????????????4 Process Command Line: ????0--?0????????????????????4 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
Security  Audit Success  13312  2020-03-18 11:13:11    Microsoft-Windows-Security-Auditing  4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2dc New Process Name: ??????????????e??? ????????? ???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x2c4 Creator Process Name: ????????????????????4 Process Command Line: ????0--?0????????????????????4 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
Security  Audit Success  13312  2020-03-18 11:13:11    Microsoft-Windows-Security-Auditing  4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x314 New Process Name: ????????????????-??6??c????0--?0???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x2cc Creator Process Name: ???????????????e?????? Process Command Line: ????0--?0???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
Security  Audit Success  13312  2020-03-18 11:13:11    Microsoft-Windows-Security-Auditing  4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x31c New Process Name: ??????????????e??? ????????? ???????????????????????4? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x2cc Creator Process Name: ???????????????e?????? Process Command Line: ????0--?0???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
Security  Audit Success  13568  2020-03-18 11:13:11    Microsoft-Windows-Security-Auditing  4902: The Per-user audit policy table was created. Number of Elements: 0 Policy ID: 0xfc5a
Security  Audit Success  12292  2020-03-18 11:13:12    Microsoft-Windows-Security-Auditing  5024: The Windows Firewall service started successfully.
Security  Audit Success  12544  2020-03-18 11:13:12    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:13:12    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:13:12    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:13:12    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:13:12    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:13:12    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:13:12    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:13:12    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:13:12    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:13:12    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 11:13:12    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 11:13:12    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 11:13:12    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 11:13:12    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 11:13:12    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 11:13:12    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 11:13:12    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 11:13:12    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 11:13:12    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 11:13:12    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  13826  2020-03-18 11:13:12    Microsoft-Windows-Security-Auditing  4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-20 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e4 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0xd2c Process Name: C:\Windows\System32\svchost.exe
Security  Audit Success  13826  2020-03-18 11:13:12    Microsoft-Windows-Security-Auditing  4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\svchost.exe
Security  Audit Success  12290  2020-03-18 11:13:13    Microsoft-Windows-Security-Auditing  5061: Cryptographic operation. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x47766 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: %%2500 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
Security  Audit Success  12290  2020-03-18 11:13:13    Microsoft-Windows-Security-Auditing  5061: Cryptographic operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: %%2500 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
Security  Audit Success  12292  2020-03-18 11:13:13    Microsoft-Windows-Security-Auditing  5058: Key file operation. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x47766 Process Information: Process ID: 5796 Process Creation Time: 2020-03-18T03:13:13.565600300Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: Microsoft Connected Devices Platform device certificate Key Type: %%2500 Key File Operation Information: File Path: C:\Users\redblue\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_7fbcc963-8e43-4455-80cd-825694131a80 Operation: %%2458 Return Code: 0x0
Security  Audit Success  12292  2020-03-18 11:13:13    Microsoft-Windows-Security-Auditing  5059: Key migration operation. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x47766 Process Information: Process ID: 5796 Process Creation Time: 2020-03-18T03:13:13.565600300Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: %%2500 Additional Information: Operation: %%2464 Return Code: 0x0
Security  Audit Success  12292  2020-03-18 11:13:13    Microsoft-Windows-Security-Auditing  5058: Key file operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Process Information: Process ID: 6256 Process Creation Time: 2020-03-18T03:13:13.707641200Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: Microsoft Connected Devices Platform device certificate Key Type: %%2500 Key File Operation Information: File Path: C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_7fbcc963-8e43-4455-80cd-825694131a80 Operation: %%2458 Return Code: 0x0
Security  Audit Success  12292  2020-03-18 11:13:13    Microsoft-Windows-Security-Auditing  5059: Key migration operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Process Information: Process ID: 6256 Process Creation Time: 2020-03-18T03:13:13.707641200Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: %%2500 Additional Information: Operation: %%2464 Return Code: 0x0
Security  Audit Success  12544  2020-03-18 11:13:13    Microsoft-Windows-Security-Auditing  4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x69c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: 127.0.0.1 Port: 0 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
Security  Audit Success  12544  2020-03-18 11:13:13    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x4772a Linked Logon ID: 0x47766 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x69c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: DESKTOP-UT5JEJD Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:13:13    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x47766 Linked Logon ID: 0x4772a Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x69c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: DESKTOP-UT5JEJD Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:13:13    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 11:13:13    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x4772a Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 11:13:13    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  13824  2020-03-18 11:13:13    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x4a4 Process Name: C:\Windows\System32\LogonUI.exe
Security  Audit Success  13826  2020-03-18 11:13:13    Microsoft-Windows-Security-Auditing  4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x5c8 Process Name: C:\Windows\System32\svchost.exe
Security  Audit Success  12544  2020-03-18 11:13:14    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:13:14    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 11:13:14    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 11:13:14    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  13826  2020-03-18 11:13:14    Microsoft-Windows-Security-Auditing  4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x1ce0 Process Name: C:\Windows\System32\SearchIndexer.exe
Security  Audit Success  12544  2020-03-18 11:13:15    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:13:15    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:13:15    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 11:13:15    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 11:13:15    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 11:13:15    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12290  2020-03-18 11:13:20    Microsoft-Windows-Security-Auditing  5061: Cryptographic operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: {9958B427-41A6-494A-83E0-B395A2CFCE0B} Key Type: %%2500 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
Security  Audit Success  12292  2020-03-18 11:13:20    Microsoft-Windows-Security-Auditing  5058: Key file operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Process Information: Process ID: 7016 Process Creation Time: 2020-03-18T03:13:14.178892600Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: {9958B427-41A6-494A-83E0-B395A2CFCE0B} Key Type: %%2500 Key File Operation Information: File Path: C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\e616b71df416cc5b9b621e575917310d_7fbcc963-8e43-4455-80cd-825694131a80 Operation: %%2458 Return Code: 0x0
Security  Audit Success  12544  2020-03-18 11:13:20    Microsoft-Windows-Security-Auditing  4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x69c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: 127.0.0.1 Port: 0 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
Security  Audit Success  12544  2020-03-18 11:13:20    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x97335 Linked Logon ID: 0x973ba Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x69c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: DESKTOP-UT5JEJD Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:13:20    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x973ba Linked Logon ID: 0x97335 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x69c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: DESKTOP-UT5JEJD Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12545  2020-03-18 11:13:20    Microsoft-Windows-Security-Auditing  4634: An account was logged off. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x973ba Logon Type: 2 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
Security  Audit Success  12545  2020-03-18 11:13:20    Microsoft-Windows-Security-Auditing  4634: An account was logged off. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x97335 Logon Type: 2 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
Security  Audit Success  12548  2020-03-18 11:13:20    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x97335 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  13824  2020-03-18 11:13:20    Microsoft-Windows-Security-Auditing  5382: Vault credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 This event occurs when a user reads a stored vault credential.
Security  Audit Success  13824  2020-03-18 11:13:22    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x12b8 Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe
Security  Audit Success  13824  2020-03-18 11:13:22    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x12b8 Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe
Security  Audit Success  12544  2020-03-18 11:13:25    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 11:13:25    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12544  2020-03-18 11:13:26    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 11:13:26    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  13824  2020-03-18 11:13:26    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x47766 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 11:13:26    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x47766 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 11:13:26    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x47766 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13826  2020-03-18 11:13:31    Microsoft-Windows-Security-Auditing  4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x24d0 Process Name: C:\Windows\System32\svchost.exe
Security  Audit Success  12290  2020-03-18 11:14:00    Microsoft-Windows-Security-Auditing  5061: Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: SCEPProtocolKey-54a2cb9b-4ab7-420b-814d-7ea496e3e2de Key Type: %%2500 Cryptographic Operation: Operation: %%2481 Return Code: 0x0
Security  Audit Success  12290  2020-03-18 11:14:00    Microsoft-Windows-Security-Auditing  5061: Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: SCEPProtocolKey-54a2cb9b-4ab7-420b-814d-7ea496e3e2de Key Type: %%2500 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
Security  Audit Success  12290  2020-03-18 11:14:00    Microsoft-Windows-Security-Auditing  5061: Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: SCEPProtocolKey-54a2cb9b-4ab7-420b-814d-7ea496e3e2de Key Type: %%2500 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
Security  Audit Success  12292  2020-03-18 11:14:00    Microsoft-Windows-Security-Auditing  5058: Key file operation. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Process Information: Process ID: 9652 Process Creation Time: 2020-03-18T03:13:57.109509700Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: SCEPProtocolKey-54a2cb9b-4ab7-420b-814d-7ea496e3e2de Key Type: %%2500 Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\SystemKeys\c6c2378a2f65dd6b81349d4b03b7048f_7fbcc963-8e43-4455-80cd-825694131a80 Operation: %%2459 Return Code: 0x0
Security  Audit Success  12292  2020-03-18 11:14:00    Microsoft-Windows-Security-Auditing  5059: Key migration operation. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Process Information: Process ID: 9652 Process Creation Time: 2020-03-18T03:13:57.109509700Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: SCEPProtocolKey-54a2cb9b-4ab7-420b-814d-7ea496e3e2de Key Type: %%2500 Additional Information: Operation: %%2464 Return Code: 0x0
Security  Audit Success  12292  2020-03-18 11:14:00    Microsoft-Windows-Security-Auditing  5059: Key migration operation. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Process Information: Process ID: 9652 Process Creation Time: 2020-03-18T03:13:57.109509700Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: SCEPProtocolKey-54a2cb9b-4ab7-420b-814d-7ea496e3e2de Key Type: %%2500 Additional Information: Operation: %%2464 Return Code: 0x0
Security  Audit Success  12292  2020-03-18 11:14:00    Microsoft-Windows-Security-Auditing  5059: Key migration operation. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Process Information: Process ID: 9652 Process Creation Time: 2020-03-18T03:13:57.109509700Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: SCEPProtocolKey-54a2cb9b-4ab7-420b-814d-7ea496e3e2de Key Type: %%2500 Additional Information: Operation: %%2464 Return Code: 0x0
Security  Audit Success  12292  2020-03-18 11:14:00    Microsoft-Windows-Security-Auditing  5059: Key migration operation. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Process Information: Process ID: 9652 Process Creation Time: 2020-03-18T03:13:57.109509700Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: SCEPProtocolKey-54a2cb9b-4ab7-420b-814d-7ea496e3e2de Key Type: %%2500 Additional Information: Operation: %%2464 Return Code: 0x0
Security  Audit Success  12292  2020-03-18 11:14:00    Microsoft-Windows-Security-Auditing  5059: Key migration operation. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Process Information: Process ID: 9652 Process Creation Time: 2020-03-18T03:13:57.109509700Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: SCEPProtocolKey-54a2cb9b-4ab7-420b-814d-7ea496e3e2de Key Type: %%2500 Additional Information: Operation: %%2464 Return Code: 0x0
Security  Audit Success  12292  2020-03-18 11:14:00    Microsoft-Windows-Security-Auditing  5059: Key migration operation. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Process Information: Process ID: 9652 Process Creation Time: 2020-03-18T03:13:57.109509700Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: SCEPProtocolKey-54a2cb9b-4ab7-420b-814d-7ea496e3e2de Key Type: %%2500 Additional Information: Operation: %%2464 Return Code: 0x0
Security  Audit Success  12292  2020-03-18 11:14:00    Microsoft-Windows-Security-Auditing  5059: Key migration operation. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Process Information: Process ID: 9652 Process Creation Time: 2020-03-18T03:13:57.109509700Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: SCEPProtocolKey-54a2cb9b-4ab7-420b-814d-7ea496e3e2de Key Type: %%2500 Additional Information: Operation: %%2464 Return Code: 0x0
Security  Audit Success  12292  2020-03-18 11:14:00    Microsoft-Windows-Security-Auditing  5059: Key migration operation. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Process Information: Process ID: 9652 Process Creation Time: 2020-03-18T03:13:57.109509700Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: SCEPProtocolKey-54a2cb9b-4ab7-420b-814d-7ea496e3e2de Key Type: %%2500 Additional Information: Operation: %%2464 Return Code: 0x0
Security  Audit Success  12292  2020-03-18 11:14:00    Microsoft-Windows-Security-Auditing  5059: Key migration operation. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Process Information: Process ID: 9652 Process Creation Time: 2020-03-18T03:13:57.109509700Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: SCEPProtocolKey-54a2cb9b-4ab7-420b-814d-7ea496e3e2de Key Type: %%2500 Additional Information: Operation: %%2464 Return Code: 0x0
Security  Audit Success  12292  2020-03-18 11:14:00    Microsoft-Windows-Security-Auditing  5059: Key migration operation. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Process Information: Process ID: 9652 Process Creation Time: 2020-03-18T03:13:57.109509700Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: SCEPProtocolKey-54a2cb9b-4ab7-420b-814d-7ea496e3e2de Key Type: %%2500 Additional Information: Operation: %%2464 Return Code: 0x0
Security  Audit Success  12292  2020-03-18 11:14:00    Microsoft-Windows-Security-Auditing  5059: Key migration operation. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Process Information: Process ID: 9652 Process Creation Time: 2020-03-18T03:13:57.109509700Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: SCEPProtocolKey-54a2cb9b-4ab7-420b-814d-7ea496e3e2de Key Type: %%2500 Additional Information: Operation: %%2464 Return Code: 0x0
Security  Audit Success  12292  2020-03-18 11:14:00    Microsoft-Windows-Security-Auditing  5059: Key migration operation. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Process Information: Process ID: 9652 Process Creation Time: 2020-03-18T03:13:57.109509700Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: SCEPProtocolKey-54a2cb9b-4ab7-420b-814d-7ea496e3e2de Key Type: %%2500 Additional Information: Operation: %%2464 Return Code: 0x0
Security  Audit Success  12292  2020-03-18 11:14:00    Microsoft-Windows-Security-Auditing  5058: Key file operation. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Process Information: Process ID: 9652 Process Creation Time: 2020-03-18T03:13:57.109509700Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: SCEPProtocolKey-54a2cb9b-4ab7-420b-814d-7ea496e3e2de Key Type: %%2500 Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\SystemKeys\c6c2378a2f65dd6b81349d4b03b7048f_7fbcc963-8e43-4455-80cd-825694131a80 Operation: %%2458 Return Code: 0x0
Security  Audit Success  12292  2020-03-18 11:14:00    Microsoft-Windows-Security-Auditing  5058: Key file operation. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Process Information: Process ID: 9652 Process Creation Time: 2020-03-18T03:13:57.109509700Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: SCEPProtocolKey-54a2cb9b-4ab7-420b-814d-7ea496e3e2de Key Type: %%2500 Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\SystemKeys\c6c2378a2f65dd6b81349d4b03b7048f_7fbcc963-8e43-4455-80cd-825694131a80 Operation: %%2458 Return Code: 0x0
Security  Audit Success  12544  2020-03-18 11:14:00    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 11:14:00    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  13824  2020-03-18 11:14:00    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x47766 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 11:14:00    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x47766 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 11:14:00    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x47766 Read Operation: %%8099 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 11:14:00    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x47766 Read Operation: %%8099 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  12290  2020-03-18 11:14:01    Microsoft-Windows-Security-Auditing  5061: Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: SCEPProtocolKey-54a2cb9b-4ab7-420b-814d-7ea496e3e2de Key Type: %%2500 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
Security  Audit Success  12292  2020-03-18 11:14:01    Microsoft-Windows-Security-Auditing  5058: Key file operation. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Process Information: Process ID: 9652 Process Creation Time: 2020-03-18T03:13:57.109509700Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: SCEPProtocolKey-54a2cb9b-4ab7-420b-814d-7ea496e3e2de Key Type: %%2500 Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\SystemKeys\c6c2378a2f65dd6b81349d4b03b7048f_7fbcc963-8e43-4455-80cd-825694131a80 Operation: %%2458 Return Code: 0x0
Security  Audit Success  13824  2020-03-18 11:14:01    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x47766 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 11:14:01    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x47766 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 11:14:01    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x47766 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 11:14:01    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x47766 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  12290  2020-03-18 11:14:02    Microsoft-Windows-Security-Auditing  5061: Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: SCEPProtocolKey-54a2cb9b-4ab7-420b-814d-7ea496e3e2de Key Type: %%2500 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
Security  Audit Success  12290  2020-03-18 11:14:02    Microsoft-Windows-Security-Auditing  5061: Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: SCEPProtocolKey-54a2cb9b-4ab7-420b-814d-7ea496e3e2de Key Type: %%2500 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
Security  Audit Success  12290  2020-03-18 11:14:02    Microsoft-Windows-Security-Auditing  5061: Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: SCEPProtocolKey-54a2cb9b-4ab7-420b-814d-7ea496e3e2de Key Type: %%2500 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
Security  Audit Success  12290  2020-03-18 11:14:02    Microsoft-Windows-Security-Auditing  5061: Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: SCEPProtocolKey-54a2cb9b-4ab7-420b-814d-7ea496e3e2de Key Type: %%2500 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
Security  Audit Success  12292  2020-03-18 11:14:02    Microsoft-Windows-Security-Auditing  5058: Key file operation. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Process Information: Process ID: 9652 Process Creation Time: 2020-03-18T03:13:57.109509700Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: SCEPProtocolKey-54a2cb9b-4ab7-420b-814d-7ea496e3e2de Key Type: %%2500 Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\SystemKeys\c6c2378a2f65dd6b81349d4b03b7048f_7fbcc963-8e43-4455-80cd-825694131a80 Operation: %%2458 Return Code: 0x0
Security  Audit Success  12292  2020-03-18 11:14:02    Microsoft-Windows-Security-Auditing  5058: Key file operation. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Process Information: Process ID: 9652 Process Creation Time: 2020-03-18T03:13:57.109509700Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: SCEPProtocolKey-54a2cb9b-4ab7-420b-814d-7ea496e3e2de Key Type: %%2500 Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\SystemKeys\c6c2378a2f65dd6b81349d4b03b7048f_7fbcc963-8e43-4455-80cd-825694131a80 Operation: %%2458 Return Code: 0x0
Security  Audit Success  12292  2020-03-18 11:14:02    Microsoft-Windows-Security-Auditing  5058: Key file operation. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Process Information: Process ID: 9652 Process Creation Time: 2020-03-18T03:13:57.109509700Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: SCEPProtocolKey-54a2cb9b-4ab7-420b-814d-7ea496e3e2de Key Type: %%2500 Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\SystemKeys\c6c2378a2f65dd6b81349d4b03b7048f_7fbcc963-8e43-4455-80cd-825694131a80 Operation: %%2458 Return Code: 0x0
Security  Audit Success  12292  2020-03-18 11:14:02    Microsoft-Windows-Security-Auditing  5058: Key file operation. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Process Information: Process ID: 9652 Process Creation Time: 2020-03-18T03:13:57.109509700Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: SCEPProtocolKey-54a2cb9b-4ab7-420b-814d-7ea496e3e2de Key Type: %%2500 Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\SystemKeys\c6c2378a2f65dd6b81349d4b03b7048f_7fbcc963-8e43-4455-80cd-825694131a80 Operation: %%2458 Return Code: 0x0
Security  Audit Success  12292  2020-03-18 11:14:02    Microsoft-Windows-Security-Auditing  5058: Key file operation. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Process Information: Process ID: 9652 Process Creation Time: 2020-03-18T03:13:57.109509700Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: SCEPProtocolKey-54a2cb9b-4ab7-420b-814d-7ea496e3e2de Key Type: %%2500 Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\SystemKeys\c6c2378a2f65dd6b81349d4b03b7048f_7fbcc963-8e43-4455-80cd-825694131a80 Operation: %%2457 Return Code: 0x0
Security  Audit Success  12544  2020-03-18 11:14:02    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 11:14:02    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  13824  2020-03-18 11:14:02    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 11:14:02    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 11:14:02    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 11:14:02    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x47766 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 11:14:02    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x47766 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 11:14:02    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x47766 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 11:14:04    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x47766 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  12544  2020-03-18 11:14:07    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 11:14:07    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12544  2020-03-18 11:14:22    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:14:22    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 11:14:22    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 11:14:22    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12544  2020-03-18 11:14:23    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 11:14:23    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  13824  2020-03-18 11:14:41    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x47766 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 11:14:42    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x47766 User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x2824 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
Security  Audit Success  13824  2020-03-18 11:14:42    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x47766 User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x2824 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
Security  Audit Success  13824  2020-03-18 11:14:43    Microsoft-Windows-Security-Auditing  4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x47766 Additional Information: Caller Workstation: DESKTOP-UT5JEJD Target Account Name: Administrator Target Account Domain: DESKTOP-UT5JEJD
Security  Audit Success  13824  2020-03-18 11:14:43    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x47766 User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x2824 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
Security  Audit Success  13824  2020-03-18 11:14:43    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x47766 User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x2824 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
Security  Audit Success  13824  2020-03-18 11:14:43    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x47766 User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x2824 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
Security  Audit Success  13824  2020-03-18 11:14:43    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x47766 User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x2824 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
Security  Audit Success  12544  2020-03-18 11:15:00    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 11:15:00    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12544  2020-03-18 11:15:57    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 11:15:57    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12544  2020-03-18 11:15:58    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:15:58    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:15:58    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 11:15:58    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 11:15:58    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 11:15:58    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  13824  2020-03-18 11:16:51    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x47766 User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x388 Process Name: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
Security  Audit Success  12544  2020-03-18 11:19:14    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 11:19:14    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12544  2020-03-18 11:19:16    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 11:19:16    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12544  2020-03-18 11:19:17    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 11:19:17    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12544  2020-03-18 11:20:37    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 11:20:37    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12544  2020-03-18 11:20:46    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 11:20:46    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12544  2020-03-18 11:23:34    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 11:23:34    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12544  2020-03-18 11:23:37    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:23:37    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 11:23:37    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 11:23:37    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12544  2020-03-18 11:23:58    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 11:23:58    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12544  2020-03-18 11:24:02    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 11:24:02    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  13826  2020-03-18 11:24:02    Microsoft-Windows-Security-Auditing  4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x29b4 Process Name: C:\Windows\System32\svchost.exe
Security  Audit Success  12544  2020-03-18 11:24:03    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 11:24:03    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12544  2020-03-18 11:24:11    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 11:24:11    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  13568  2020-03-18 11:24:11    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\_0000000000000000.cdf-ms Handle ID: 0x9f0 Process Information: Process ID: 0x15fc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.471_none_5f12f35059003107\TiWorker.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:24:11    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$.cdf-ms Handle ID: 0xa68 Process Information: Process ID: 0x15fc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.471_none_5f12f35059003107\TiWorker.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:24:11    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_syswow64_21ffbdd2a2dd92e0.cdf-ms Handle ID: 0xa24 Process Information: Process ID: 0x15fc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.471_none_5f12f35059003107\TiWorker.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:24:11    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_syswow64_advancedinstallers_0c6bb4866bff02f7.cdf-ms Handle ID: 0x998 Process Information: Process ID: 0x15fc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.471_none_5f12f35059003107\TiWorker.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:24:11    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_21f9a9c4a2f8b514.cdf-ms Handle ID: 0xa34 Process Information: Process ID: 0x15fc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.471_none_5f12f35059003107\TiWorker.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:24:11    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_advancedinstallers_dfe2cf200b391371.cdf-ms Handle ID: 0xa68 Process Information: Process ID: 0x15fc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.471_none_5f12f35059003107\TiWorker.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:24:11    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_servicing_fc2045b9046cc796.cdf-ms Handle ID: 0x998 Process Information: Process ID: 0x15fc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.471_none_5f12f35059003107\TiWorker.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:24:11    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_servicing_version_10.0.18362.710_8deca0bb0619542f.cdf-ms Handle ID: 0x998 Process Information: Process ID: 0x15fc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.471_none_5f12f35059003107\TiWorker.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:24:11    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_servicing_sqm_51d9d5f9de5a2fa5.cdf-ms Handle ID: 0x998 Process Information: Process ID: 0x15fc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.471_none_5f12f35059003107\TiWorker.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:24:11    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_servicing_sessions_5591aee9e2456a35.cdf-ms Handle ID: 0x98c Process Information: Process ID: 0x15fc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.471_none_5f12f35059003107\TiWorker.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:24:11    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_servicing_packages_46c20bc5f833cc43.cdf-ms Handle ID: 0xa34 Process Information: Process ID: 0x15fc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.471_none_5f12f35059003107\TiWorker.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:24:11    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_logs_cbs_10a752bcbbaee88b.cdf-ms Handle ID: 0x9f0 Process Information: Process ID: 0x15fc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.471_none_5f12f35059003107\TiWorker.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:24:11    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\poqexec.exe Handle ID: 0x998 Process Information: Process ID: 0x15fc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.471_none_5f12f35059003107\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:24:11    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\poqexec.exe Handle ID: 0x9f0 Process Information: Process ID: 0x15fc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.471_none_5f12f35059003107\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  12544  2020-03-18 11:24:12    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:24:12    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 11:24:12    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 11:24:12    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  13824  2020-03-18 11:24:12    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 11:24:12    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 11:24:12    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 11:24:12    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-20 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e4 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 11:24:12    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-20 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e4 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 11:24:12    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-20 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e4 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 11:24:12    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x47766 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 11:24:12    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x47766 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 11:24:12    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x47766 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13826  2020-03-18 11:24:12    Microsoft-Windows-Security-Auditing  4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x3020 Process Name: C:\Windows\System32\VSSVC.exe
Security  Audit Success  13826  2020-03-18 11:24:12    Microsoft-Windows-Security-Auditing  4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x3020 Process Name: C:\Windows\System32\VSSVC.exe
Security  Audit Success  13826  2020-03-18 11:24:12    Microsoft-Windows-Security-Auditing  4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x3020 Process Name: C:\Windows\System32\VSSVC.exe
Security  Audit Success  13826  2020-03-18 11:24:12    Microsoft-Windows-Security-Auditing  4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x3020 Process Name: C:\Windows\System32\VSSVC.exe
Security  Audit Success  13824  2020-03-18 11:24:13    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-20 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e4 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 11:24:13    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-20 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e4 Read Operation: %%8099 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 11:24:13    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-20 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e4 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 11:24:13    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-20 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e4 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 11:24:13    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-20 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e4 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 11:24:13    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-20 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e4 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 11:24:13    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-20 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e4 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 11:24:14    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-20 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e4 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 11:24:14    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-20 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e4 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 11:24:14    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-20 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e4 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 11:24:14    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-20 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e4 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 11:24:21    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x47766 User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x2824 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
Security  Audit Success  13824  2020-03-18 11:24:21    Microsoft-Windows-Security-Auditing  4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x47766 Additional Information: Caller Workstation: DESKTOP-UT5JEJD Target Account Name: Administrator Target Account Domain: DESKTOP-UT5JEJD
Security  Audit Success  13824  2020-03-18 11:24:21    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x47766 User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x2824 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
Security  Audit Success  13824  2020-03-18 11:24:21    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x47766 User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x2824 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
Security  Audit Success  13824  2020-03-18 11:24:21    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x47766 User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x2824 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
Security  Audit Success  13824  2020-03-18 11:24:21    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x47766 User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x2824 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
Security  Audit Success  12544  2020-03-18 11:24:26    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 11:24:26    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  13824  2020-03-18 11:26:50    Microsoft-Windows-Security-Auditing  4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x47766 Additional Information: Caller Workstation: DESKTOP-UT5JEJD Target Account Name: Administrator Target Account Domain: DESKTOP-UT5JEJD
Security  Audit Success  13824  2020-03-18 11:26:50    Microsoft-Windows-Security-Auditing  4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x47766 Additional Information: Caller Workstation: DESKTOP-UT5JEJD Target Account Name: DefaultAccount Target Account Domain: DESKTOP-UT5JEJD
Security  Audit Success  13824  2020-03-18 11:26:50    Microsoft-Windows-Security-Auditing  4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x47766 Additional Information: Caller Workstation: DESKTOP-UT5JEJD Target Account Name: Guest Target Account Domain: DESKTOP-UT5JEJD
Security  Audit Success  13824  2020-03-18 11:26:50    Microsoft-Windows-Security-Auditing  4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x47766 Additional Information: Caller Workstation: DESKTOP-UT5JEJD Target Account Name: WDAGUtilityAccount Target Account Domain: DESKTOP-UT5JEJD
Security  Audit Success  13824  2020-03-18 11:26:54    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x47766 User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x18f8 Process Name: C:\Windows\explorer.exe
Security  Audit Success  13824  2020-03-18 11:27:52    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x47766 User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1740 Process Name: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
Security  Audit Success  12544  2020-03-18 11:28:16    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 11:28:16    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12544  2020-03-18 11:30:40    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:30:40    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 11:30:40    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 11:30:40    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  13826  2020-03-18 11:30:40    Microsoft-Windows-Security-Auditing  4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x1a88 Process Name: C:\Windows\System32\VSSVC.exe
Security  Audit Success  13826  2020-03-18 11:30:40    Microsoft-Windows-Security-Auditing  4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x1a88 Process Name: C:\Windows\System32\VSSVC.exe
Security  Audit Success  13826  2020-03-18 11:30:40    Microsoft-Windows-Security-Auditing  4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x1a88 Process Name: C:\Windows\System32\VSSVC.exe
Security  Audit Success  13826  2020-03-18 11:30:40    Microsoft-Windows-Security-Auditing  4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x1a88 Process Name: C:\Windows\System32\VSSVC.exe
Security  Audit Success  12544  2020-03-18 11:30:45    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 11:30:45    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12544  2020-03-18 11:30:48    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 11:30:48    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12544  2020-03-18 11:30:50    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 11:30:50    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12544  2020-03-18 11:30:52    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:30:52    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 11:30:52    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 11:30:52    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12544  2020-03-18 11:32:40    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 11:32:40    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12544  2020-03-18 11:35:30    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 11:35:30    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12544  2020-03-18 11:35:56    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 11:35:56    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  13826  2020-03-18 11:36:01    Microsoft-Windows-Security-Auditing  4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\svchost.exe
Security  Audit Success  12544  2020-03-18 11:36:49    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 11:36:49    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  13824  2020-03-18 11:36:49    Microsoft-Windows-Security-Auditing  5381: Vault credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x47766 This event occurs when a user enumerates stored vault credentials.
Security  Audit Success  12544  2020-03-18 11:36:58    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 11:36:58    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12544  2020-03-18 11:37:29    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 11:37:29    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12544  2020-03-18 11:37:33    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12545  2020-03-18 11:37:33    Microsoft-Windows-Security-Auditing  4647: User initiated logoff: Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x47766 This event is generated when a logoff is initiated. No further user-initiated activity can occur. This event can be interpreted as a logoff event.
Security  Audit Success  12548  2020-03-18 11:37:33    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  13824  2020-03-18 11:37:33    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-500 Account Name: Administrator Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x69c Process Name: C:\Windows\System32\svchost.exe
Security  Audit Success  13824  2020-03-18 11:37:33    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-503 Account Name: DefaultAccount Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x69c Process Name: C:\Windows\System32\svchost.exe
Security  Audit Success  13824  2020-03-18 11:37:33    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x69c Process Name: C:\Windows\System32\svchost.exe
Security  Audit Success  13824  2020-03-18 11:37:33    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x69c Process Name: C:\Windows\System32\svchost.exe
Security  Audit Success  13824  2020-03-18 11:37:33    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-504 Account Name: WDAGUtilityAccount Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x69c Process Name: C:\Windows\System32\svchost.exe
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Boot\EFI\bootmgfw.efi Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Boot\EFI\bootmgr.efi Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Boot\EFI\memtest.efi Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Boot\PCAT\bootmgr Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\cdd.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\ci.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\hal.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\lsasrv.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\ntdll.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\ntoskrnl.exe Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\offlinelsa.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\securekernel.exe Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\skci.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\tcblaunch.exe Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\tcbloader.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\winload.efi Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\winload.exe Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\winresume.efi Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\winresume.exe Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\Boot\winresume.efi Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\Boot\winresume.exe Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\drivers\afd.sys Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\drivers\ahcache.sys Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\drivers\clfs.sys Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\drivers\crashdmp.sys Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\drivers\dxgkrnl.sys Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\drivers\dxgmms1.sys Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\drivers\dxgmms2.sys Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\drivers\FWPKCLNT.SYS Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\drivers\ksecpkg.sys Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\drivers\mrxsmb.sys Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\drivers\mrxsmb20.sys Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\drivers\ndis.sys Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\drivers\ndiswan.sys Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\drivers\ntfs.sys Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\drivers\pdc.sys Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\drivers\rdbss.sys Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\drivers\refs.sys Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\drivers\storport.sys Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\drivers\tcpip.sys Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\drivers\volsnap.sys Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\drivers\winnat.sys Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\ntdll.dll Handle ID: 0x70 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\_0000000000000000.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_winsxs_installtemp_a7200a27e5239119.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_waas_401032e7a18c2040.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_waas_services_ddfc4ae175ff1678.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_twain_32_209f76caa35c9a77.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_tracing_bca9e27848ac4cc0.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_tapi_401030b7a18c2556.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_syswow64_21ffbdd2a2dd92e0.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_syswow64_zh-cn_c63f31ac3bbd74ba.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_syswow64_windowspowershell_v1.0_19ae85881f1c4f2d.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_syswow64_windowspowershell_v1.0_zh-cn_79e3012172cd67c3.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_syswow64_windowspowershell_v1.0_modules_b001352a7f7811a4.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_syswow64_windowspowershell_v1.0_modules_provisioning_a90c2174ca14f6c9.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_syswow64_windowspowershell_v1.0_en-us_79e30ca972b850e5.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_syswow64_wbem_1bf25d11bb30b33f.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_syswow64_speech_onecore_voiceactivation_64af56b9bf516892.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_syswow64_speech_onecore_common_3ac1627a1b848769.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_syswow64_setup_b8f1f0fc4fb15499.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_syswow64_recovery_359f81e4d381fca3.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_syswow64_oobe_1bf24c07bb30ce37.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_syswow64_migration_bdcfa47e8790e0c4.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_syswow64_licenses_neutral_volume_core_f4caba3f8d1530f8.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_syswow64_licenses_neutral_oem_core_70db5f046a21e239.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_syswow64_licenses_neutral_default_core_80ee44699e45274c.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_syswow64_en-us_9e576ab077991fe8.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_syswow64_drivers_193c6528ad70a5e7.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_syswow64_dism_1bf2381fbb30eb13.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_syswow64_dism_zh-cn_c2fe5b7292c1efd7.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_syswow64_dism_en-us_c5f337028c1b1b59.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_syswow64_config_397022e597c7bf30.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_syswow64_config_systemprofile_936cc011f8712e92.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_syswow64_config_systemprofile_appdata_09753eb0ca774ef7.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_syswow64_config_systemprofile_appdata_roaming_3bee7e22f285c764.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_syswow64_config_systemprofile_appdata_locallow_062ee28842850640.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_syswow64_config_systemprofile_appdata_local_0bd41f8b89ae9a9e.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemresources_0307ca33e1cd9708.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemresources_windows.ui.settingsappthreshold_0b97cbddb6bef8ee.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemresources_windows.ui.settingsappthreshold_systemsettings_6f826ed139dc38ac.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemresources_windows.ui.settingsappthreshold_systemsettings_assets_b04b2dbada91ba13.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemresources_windows.ui.settingsappthreshold_systemsettings_assets_fonts_e1429b15bb7a603f.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemresources_windows.ui.settingsappthreshold_pris_c69f4420e8b9ac96.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemresources_windows.ui.settingsadminflowuithreshold_80571585edc0bc10.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemresources_windows.ui.settingsadminflowuithreshold_systemsettingsthresholdadminflowui_a2baca8046478552.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemresources_windows.ui.settingsadminflowuithreshold_systemsettingsthresholdadminflowui_assets_5ec4ff00d0d98653.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemresources_windows.ui.settingsadminflowuithreshold_systemsettingsthresholdadminflowui_assets_45f5e040701cd097.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemresources_windows.ui.settingsadminflowuithreshold_pris_8eb5d62ebc93ca12.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemresources_windows.ui.printdialog_bd64301dff14d784.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemresources_windows.ui.printdialog_pris_0268448be4f886da.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemresources_windows.ui.pcshell_f32245a82a039128.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemresources_windows.ui.pcshell_peoplepane_assets_1773a8a6e1ab2266.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemresources_windows.systemtoast.calling_40954ac04ff75ba9.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemresources_windows.systemtoast.calling_images_ab93f75fc87b1c0d.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemresources_microsoft.windows.sechealthui_5bb2238b2acc9da0.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.windows.sechealthui_cw5n1h2txyewy_8cdc4a2b89a0ce24.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.windows.sechealthui_cw5n1h2txyewy_assets_2c72493351d74c03.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.windows.sechealthui_cw5n1h2txyewy_assets_fonts_6ccf17025b49a9e7.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.windows.cortana_cw5n1h2txyewy_2d6b8920d3f31e0d.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.windows.contentdeliverymanager_cw5n1h2txyewy_6369fdd3e5ab0989.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.windows.contentdeliverymanager_cw5n1h2txyewy_images_f48d365ca6bf839f.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.windows.cloudexperiencehost_cw5n1h2txyewy_e92250ef2519d1f6.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.windows.cloudexperiencehost_cw5n1h2txyewy_webapps_0c3414e5ea9b964c.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.windows.cloudexperiencehost_cw5n1h2txyewy_webapps_unifiedenrollment_608128e0971fe102.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.windows.cloudexperiencehost_cw5n1h2txyewy_webapps_unifiedenrollment_views_ab3b53e7951674ac.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.windows.cloudexperiencehost_cw5n1h2txyewy_webapps_unifiedenrollment_js_c50fa6bbbb7c87b1.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.windows.cloudexperiencehost_cw5n1h2txyewy_webapps_templates_2902e194c40c2d99.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.windows.cloudexperiencehost_cw5n1h2txyewy_webapps_templates_view_fa144ce8b696a5f6.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.windows.cloudexperiencehost_cw5n1h2txyewy_webapps_templates_js_30c977d57667d018.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.windows.cloudexperiencehost_cw5n1h2txyewy_webapps_surfacehubdeviceuser_40a8494b26aff035.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.windows.cloudexperiencehost_cw5n1h2txyewy_webapps_surfacehubdeviceuser_view_878bf08afd4f7608.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.windows.cloudexperiencehost_cw5n1h2txyewy_webapps_surfacehubdeviceuser_js_b837e3558be51686.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.windows.cloudexperiencehost_cw5n1h2txyewy_webapps_scoobe_47e577bfb89f66ff.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.windows.cloudexperiencehost_cw5n1h2txyewy_webapps_scoobe_view_ffe5b70b18357b66.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.windows.cloudexperiencehost_cw5n1h2txyewy_webapps_scoobe_media_2e29d64a701c210b.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.windows.cloudexperiencehost_cw5n1h2txyewy_webapps_scoobe_js_2be3c432c2ce3ede.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.windows.cloudexperiencehost_cw5n1h2txyewy_webapps_scoobe_js_common_5c49fd1a5570d1f3.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.windows.cloudexperiencehost_cw5n1h2txyewy_webapps_inclusivesspr_d9ae0f7fd2cccc94.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.windows.cloudexperiencehost_cw5n1h2txyewy_webapps_inclusivesspr_view_a30cd40228c98533.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.windows.cloudexperiencehost_cw5n1h2txyewy_webapps_inclusivesspr_js_04768872769d851d.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.windows.cloudexperiencehost_cw5n1h2txyewy_webapps_inclusiveoobe_d9ae09c5d2ccd3fb.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.windows.cloudexperiencehost_cw5n1h2txyewy_webapps_inclusiveoobe_view_9d516b3c2e3e1a84.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.windows.cloudexperiencehost_cw5n1h2txyewy_webapps_inclusiveoobe_view_templat_72e2a4dd8431fbed.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.windows.cloudexperiencehost_cw5n1h2txyewy_webapps_inclusiveoobe_media_fff1539a1a4e3fb7.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.windows.cloudexperiencehost_cw5n1h2txyewy_webapps_inclusiveoobe_js_fed525f87d913b20.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.windows.cloudexperiencehost_cw5n1h2txyewy_webapps_inclusiveoobe_js_common_9b35fdf5c98f69bb.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.windows.cloudexperiencehost_cw5n1h2txyewy_webapps_inclusiveoobe_css_9d5145ddb46283ae.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.windows.cloudexperiencehost_cw5n1h2txyewy_webapps_hololensdiagnostics_views_d5eef763b212983a.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.windows.cloudexperiencehost_cw5n1h2txyewy_webapps_hololensdiagnostics_js_8c1a5a20ff89a7b5.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.windows.cloudexperiencehost_cw5n1h2txyewy_webapps_enterprisengcenrollment_82255765359ba571.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.windows.cloudexperiencehost_cw5n1h2txyewy_webapps_enterprisengcenrollment_vi_7e71e645381609fd.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.windows.cloudexperiencehost_cw5n1h2txyewy_webapps_enterprisengcenrollment_js_c58adfa13ec3cacc.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.windows.cloudexperiencehost_cw5n1h2txyewy_webapps_antitheft_24a5fefd01d630ef.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.windows.cloudexperiencehost_cw5n1h2txyewy_webapps_antitheft_views_c7398a706c782c0f.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.windows.cloudexperiencehost_cw5n1h2txyewy_webapps_antitheft_js_08cf6efb11d0da96.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.windows.cloudexperiencehost_cw5n1h2txyewy_views_f55d581a0acbb522.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.windows.cloudexperiencehost_cw5n1h2txyewy_speech_f55759080d09bc14.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.windows.cloudexperiencehost_cw5n1h2txyewy_speech_4009_f24be8641cd5eaeb.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.windows.cloudexperiencehost_cw5n1h2txyewy_speech_1009_f24be8d01cd5e9f8.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.windows.cloudexperiencehost_cw5n1h2txyewy_speech_0c0c_f24bfc161cd5cc82.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.windows.cloudexperiencehost_cw5n1h2txyewy_speech_0c0a_f24bf84a1cd5d234.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.windows.cloudexperiencehost_cw5n1h2txyewy_speech_0c09_f24be91a1cd5e8fc.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.windows.cloudexperiencehost_cw5n1h2txyewy_speech_080a_f24bf8341cd5d297.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.windows.cloudexperiencehost_cw5n1h2txyewy_speech_0809_f24be9041cd5e95f.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.windows.cloudexperiencehost_cw5n1h2txyewy_speech_0804_f24bdf861cd5f79c.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.windows.cloudexperiencehost_cw5n1h2txyewy_speech_0416_f24be34a1cd5f20f.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.windows.cloudexperiencehost_cw5n1h2txyewy_speech_0411_f24bd9cc1cd6004c.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.windows.cloudexperiencehost_cw5n1h2txyewy_speech_0410_f24bd7e61cd60325.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.windows.cloudexperiencehost_cw5n1h2txyewy_speech_040c_f24bfbf81cd5cd09.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.windows.cloudexperiencehost_cw5n1h2txyewy_speech_0409_f24be8fc1cd5e983.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.windows.cloudexperiencehost_cw5n1h2txyewy_speech_0407_f24be5301cd5ef35.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.windows.cloudexperiencehost_cw5n1h2txyewy_retaildemo_d6007de2c4449ca2.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.windows.cloudexperiencehost_cw5n1h2txyewy_pris_4436110b27fc8d08.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.windows.cloudexperiencehost_cw5n1h2txyewy_microsoft.winjs-reduced_36e69b3b0e7ecf70.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.windows.cloudexperiencehost_cw5n1h2txyewy_microsoft.winjs-reduced_js_c3e6a46e6987d93b.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.windows.cloudexperiencehost_cw5n1h2txyewy_microsoft.winjs-reduced_css_1f290cb460a43b49.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.windows.cloudexperiencehost_cw5n1h2txyewy_media_f54b539a0b1cc81a.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.windows.cloudexperiencehost_cw5n1h2txyewy_lib_b0f47f90f3500a51.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.windows.cloudexperiencehost_cw5n1h2txyewy_js_91283bc423026fc5.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.windows.cloudexperiencehost_cw5n1h2txyewy_images_f5434c400d60dd7c.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.windows.cloudexperiencehost_cw5n1h2txyewy_fonts_f53d61bc0b5bbe04.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.windows.cloudexperiencehost_cw5n1h2txyewy_data_4436285d27fc685e.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.windows.cloudexperiencehost_cw5n1h2txyewy_data_prod_c85cee3a7af640ef.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.windows.cloudexperiencehost_cw5n1h2txyewy_css_b0f49fc4f34fda43.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.windows.cloudexperiencehost_cw5n1h2txyewy_core_443623ff27fc6f6b.cdf-ms Handle ID: 0x70 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.windows.cloudexperiencehost_cw5n1h2txyewy_core_view_c303ad0c866a9c46.cdf-ms Handle ID: 0x70 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.windows.cloudexperiencehost_cw5n1h2txyewy_core_js_2a738435bdbe8f70.cdf-ms Handle ID: 0x70 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.windows.cloudexperiencehost_cw5n1h2txyewy_core_js_applaunchers_de40849bf361043c.cdf-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.microsoftedge_8wekyb3d8bbwe_43d095bdcce4e130.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.microsoftedge_8wekyb3d8bbwe_pris_4719a634d2c04eec.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.microsoftedge_8wekyb3d8bbwe_assets_f8075bc7ad02362b.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.microsoftedge_8wekyb3d8bbwe_assets_webnotes_febc6b7abccb2874.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.microsoftedge_8wekyb3d8bbwe_assets_readingview_e64e82231b0e5fce.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.microsoftedge_8wekyb3d8bbwe_assets_readingview_css_3066d24b0856bea1.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.microsoftedge_8wekyb3d8bbwe_assets_persona_4fd2132d4ad15439.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.microsoftedge_8wekyb3d8bbwe_assets_offlinetabs_7d551ad6791e5fc2.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.microsoftedge_8wekyb3d8bbwe_assets_offlinetabs_offlinetabs_files_606f2d436ca9f85f.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.microsoftedge_8wekyb3d8bbwe_assets_hostextensions_pinjsapi_85e7afd298d161a3.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.microsoftedge_8wekyb3d8bbwe_assets_hostextensions_pinjsapi_content_bce4d61c88fff4ac.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.microsoftedge_8wekyb3d8bbwe_assets_hostextensions_learningtools_25cb263578b00eec.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.microsoftedge_8wekyb3d8bbwe_assets_hostextensions_autoformfill_dcb3be839f31d5cd.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.microsoftedge_8wekyb3d8bbwe_assets_hostextensions_autoformfill_prefill_578958a487bb2d19.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.microsoftedge_8wekyb3d8bbwe_assets_hostextensions_autoformfill_document_3a04a7fa7c0c1008.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.microsoftedge_8wekyb3d8bbwe_assets_hostextensions_autoformfill_content_5091a4e29314f3d6.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.microsoftedge_8wekyb3d8bbwe_assets_fonts_206f147a74e786c9.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.microsoftedge_8wekyb3d8bbwe_assets_errorpages_73ec08ffb6105e23.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.microsoftedge_8wekyb3d8bbwe_assets_dictionary_0a4f3c3a52411629.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.microsoftedge_8wekyb3d8bbwe_assets_contextmenu_6a54d142fb74801d.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.microsoftedge_8wekyb3d8bbwe_assets_bookviewer_990e8d61fcad5c14.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.microsoftedge_8wekyb3d8bbwe_assets_bookviewer_js_78c5ff49aa9e261b.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.microsoftedge_8wekyb3d8bbwe_assets_bookviewer_css_38b1881b8abcd7a5.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.microsoftedge_8wekyb3d8bbwe_assets_booklibrary_3e904335483f7fff.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.microsoftedge_8wekyb3d8bbwe_assets_applicationguard_8359e7f74deb583c.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.accountscontrol_cw5n1h2txyewy_fc38de406c5c8223.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.accountscontrol_cw5n1h2txyewy_pris_f2961b1ae98936c3.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.accountscontrol_cw5n1h2txyewy_assets_b23e6d9669ed5578.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_21f9a9c4a2f8b514.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_zh-cn_6a8499504900c466.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_windowspowershell_v1.0_3f102d555ee05d33.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_windowspowershell_v1.0_zh-cn_028e5dc1cad565fb.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_windowspowershell_v1.0_modules_a349059b05097caa.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_windowspowershell_v1.0_modules_tls_36c96f1eb9feecc5.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_windowspowershell_v1.0_modules_provisioning_59992d8d97512395.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_windowspowershell_v1.0_modules_netswitchteam_c23a4af35d296eac.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_windowspowershell_v1.0_modules_netlbfo_dfa61a2ec6bf8e00.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_windowspowershell_v1.0_modules_netconnection_bcd4e6858fe3adb5.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_windowspowershell_v1.0_en-us_028e6949cac04f1d.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_winbioplugins_071a28c5b510fb6a.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_winbioplugins_facedriver_1cf62c11bac4d1af.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_winbioplugins_facedriver_amd64_a24e7f3c1523e31d.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_wbem_06656d9fdf2f8577.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_wbem_zh-cn_4260d62eb8680d01.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_wbem_en-us_4555b1beb1c13883.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_unp_06656839d047b419.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_systemresetplatform_14fecc2716acccef.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_spp_tokens_skus_coresinglelanguage_c30c5cdb26133062.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_spp_tokens_skus_core_1cc91710e2d99b18.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_spp_store_2.0_774a618ff1521716.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_spp_plugin-manifests-signed_d1e9d31c180bebd2.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_spool_prtprocs_x64_bfba530a0f4e6934.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_speech_onecore_voiceactivation_57f72a0344e2d398.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_speech_onecore_common_60bf750299e8ab15.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_setup_5d3758a05cf4a445.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_recovery_f87e94e0816fb86b.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_perceptionsimulation_782fb292607e7bbe.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_perceptionsimulation_assets_26be616134e2f347.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_openssh_f142c5dc07dcf27a.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_oobe_06655c95df2fa06f.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_networklist_029a48465a9cac56.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_networklist_icons_2b49083c03963dec.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_migwiz_2650d8d30fee1fe9.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_migwiz_replacementmanifests_174c7b92bb7d581f.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_migwiz_replacementmanifests_sppmig_61344cc740310c55.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_migwiz_replacementmanifests_microsoft-windows-textservicesframework-migration_55ee7b7ed7f684bc.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_migwiz_replacementmanifests_microsoft-windows-shmig_9ef85dcb89d16c58.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_migwiz_replacementmanifests_microsoft-windows-directoryservices-adam-client_acf5a5eb145af9c7.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_migwiz_dlmanifests_f1386c432966667b.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_migwiz_dlmanifests_microsoft-windows-textservicesframework-migration-dl_549205906affe6bf.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_migration_927a21df1acd7c18.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_logfiles_cloudfiles_4f1ca5d4f4bf5aad.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_licenses_neutral_volume_core_7d7616e8e51d2f30.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_licenses_neutral_oem_core_dbf7b420a872a98d.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_licenses_neutral_default_core_743617bc23d69252.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_keywords_eb5d4b4494a589fe.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_ja-jp_4c1d2478769bf2f4.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_ime_shared_5a5b3a5824d8fee4.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_icsxml_1f8f393b196e65ae.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_fr-fr_448347788202c03b.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_fr-ca_448327328202f0a1.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_en-us_429cd25484dc6f94.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_drivers_dc1b782427b5ee1b.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_drivers_umdf_a531b5dc588477d3.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_dism_066548addf2fbd4b.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_dism_zh-cn_035a5f2073af1d51.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_dism_en-us_064f3ab06d0848d3.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_diagsvcs_dd4fddd4aaa5e8ac.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_de-de_40b6416a87b647ef.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_ddfs_06654947df2fbc31.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_config_1277fa612e559336.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_config_systemprofile_9dec82772012c8ca.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_config_systemprofile_appdata_92209b51227f4d2f.cdf-ms Handle ID: 0x70 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_config_systemprofile_appdata_roaming_3488f27ae602299c.cdf-ms Handle ID: 0x70 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_config_systemprofile_appdata_locallow_ecfb9e22d0b5fdec.cdf-ms Handle ID: 0x70 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_config_systemprofile_appdata_local_bceee85fd37df118.cdf-ms Handle ID: 0x70 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_codeintegrity_e9af9308cfc26dc2.cdf-ms Handle ID: 0x70 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_codeintegrity_cipolicies_staged_276d48e6ef8844ae.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_codeintegrity_cipolicies_active_29d3e16aea6e0340.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_boot_06654401df2fc50e.cdf-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_appraiser_59bebec9f06db09b.cdf-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system_4c3aa2308f9f8f41.cdf-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system_speech_00e1f005eaf69ef5.cdf-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_shellexperiences_2912c63bd045ac45.cdf-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_servicing_fc2045b9046cc796.cdf-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_servicing_editions_596ea20ddafb9f7d.cdf-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_security_fe3ad40cd6e08c7c.cdf-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_provisioning_cc9458acec1840ff.cdf-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_provisioning_packages_e07c8f8a91f541c4.cdf-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_provisioning_cosa_b2feb78251a8a259.cdf-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_provisioning_cosa_oem_c5f03ab2bad804ca.cdf-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_provisioning_cosa_mo_c5f03b0eb90452f5.cdf-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_provisioning_cosa_microsoft_77338a94bd8669dd.cdf-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_provisioning_autopilot_705495c13beba2f8.cdf-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_printdialog_af71281e89102b83.cdf-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_prefetch_1688e4e8b2f89473.cdf-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_policydefinitions_89130cdfc4d9c27c.cdf-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_policydefinitions_zh-cn_382780099447a92c.cdf-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_policydefinitions_en-us_3b1c5b998da0d4ae.cdf-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_pla_rules_0bde462ce96f215e.cdf-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_pla_reports_a2604845b2b380ca.cdf-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_logs_measuredboot_ab1fadc53c86b337.cdf-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_livekernelreports_13126bbee8c1252a.cdf-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_l2schemas_d7bb5637381de58c.cdf-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_installer_0d1280e2e633dc00.cdf-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_inf_3f581daba4c8c835.cdf-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_inf_wsearchidxpi_a2c41dc1731a4204.cdf-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_inf_wsearchidxpi_0000_2e6e3f1caf9fca20.cdf-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_inf_ugthrsvc_9c5b081f28f83f11.cdf-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_inf_ugthrsvc_0000_8451c300df70be5f.cdf-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_inf_ugatherer_9f1f9c5b6cd50d98.cdf-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_inf_ugatherer_0000_046b5203f9ca3f14.cdf-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_immersivecontrolpanel_1e6ccf0e6a91b570.cdf-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_immersivecontrolpanel_zh-cn_80cdca5e7a4c19a6.cdf-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_immersivecontrolpanel_systemsettings_d76332102e6a9a22.cdf-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_immersivecontrolpanel_systemsettings_view_34ee44a07ef70449.cdf-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_immersivecontrolpanel_systemsettings_assets_6ba5b2461d9725af.cdf-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_immersivecontrolpanel_pris_a05890fcf353f1d8.cdf-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_immersivecontrolpanel_images_2e6232377292b2dc.cdf-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_immersivecontrolpanel_en-us_83c2a5ee73a54528.cdf-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_identitycrl_e7d9c9e97cfb8b01.cdf-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_globalization_0fc22903a221b67f.cdf-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_diagtrack_0600d0deecd2b5a2.cdf-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_diagtrack_settings_56f8a3f40ce5a801.cdf-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_diagtrack_scenarios_ce5f6e43b7ab3f41.cdf-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_containers_serviced_07c9b2b35f82b615.cdf-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_boot_40104b85a18bfcb2.cdf-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_boot_pcat_0f8924c0debe64e4.cdf-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_boot_pcat_qps-ploc_109d95b40d3e11cb.cdf-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_boot_misc_pcat_6b00b12988eafd38.cdf-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_boot_efi_0f890f82be247f42.cdf-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_boot_dvd_efi_de3c4ceb52549e1c.cdf-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_boot_dvd_efi_en-us_8245c3aed97c0844.cdf-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_bcastdvr_fab1ebc0dbf2dacb.cdf-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_apppatch_1143992cbbbebcab.cdf-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_apppatch_zh-cn_31758f6e3c3f408b.cdf-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_apppatch_en-us_098dc872781aebb9.cdf-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_appcompat_appraiser_33781004733ffeee.cdf-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_appcompat_appraiser_telemetry_94274e99519f58a9.cdf-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\users.cdf-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\users_public_8c076a3be22985a1.cdf-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\users_public_videos_20f7329ef941f593.cdf-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\users_public_pictures_f5e7b0c0fda4db8c.cdf-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\users_public_music_8c1f3dc399e79184.cdf-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\users_public_libraries_de6591322faedac0.cdf-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\users_public_downloads_631cc37cff593fe6.cdf-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\users_public_documents_70461e22eba239ef.cdf-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\users_public_desktop_2377dac7383055bd.cdf-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\users_default_73615b64075aa65f.cdf-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\users_default_videos_4078dfd58aff2cd5.cdf-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\users_default_saved_games_57aaea1c026aa551.cdf-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\users_default_pictures_209185c2b71537e4.cdf-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\users_default_music_4066f7392302d756.cdf-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\users_default_links_4064ed15230be7d0.cdf-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\users_default_favorites_d09a481c8ccc2a28.cdf-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\users_default_downloads_d0a063ac92c2c070.cdf-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\users_default_documents_a9a4e48ccdf32dcf.cdf-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\users_default_desktop_39aa59e1159d1203.cdf-ms Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\users_default_appdata_33f0d5f51e505ec2.cdf-ms Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\users_default_appdata_roaming_482f0bdd00d1643d.cdf-ms Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\users_default_appdata_roaming_microsoft_b898cfd29d5951f1.cdf-ms Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\users_default_appdata_roaming_microsoft_windows_4793cab2f72cc262.cdf-ms Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\users_default_appdata_roaming_microsoft_windows_templates_9327e87141b4e78f.cdf-ms Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\users_default_appdata_roaming_microsoft_windows_start_menu_5eb528778fd8d821.cdf-ms Handle ID: 0x84 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\users_default_appdata_roaming_microsoft_windows_start_menu_programs_8181428e5873cb4e.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\users_default_appdata_roaming_microsoft_windows_start_menu_programs_accessories_73cb70a3fcd6fd42.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\users_default_appdata_roaming_microsoft_windows_sendto_cc2b2363b7303311.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\users_default_appdata_roaming_microsoft_windows_recent_ca449f9bba09f987.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\users_default_appdata_roaming_microsoft_windows_network_shortcuts_cbcbd4ac7028a985.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\users_default_appdata_roaming_microsoft_internet_explorer_quick_launch_c0ec1d6b06e5808b.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\users_default_appdata_local_bc5dd6ae41aaaeeb.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\users_default_appdata_local_temp_3274946c96022019.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\users_default_appdata_local_microsoft_3433db0fbe07ab7f.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\users_default_appdata_local_microsoft_windowsapps_522fbbfd57c17136.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\users_default_appdata_local_microsoft_windows_9e28651fd972d480.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\users_default_appdata_local_microsoft_windows_inetcookies_706c818672b5499f.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\users_default_appdata_local_microsoft_windows_inetcache_93b6f38324ca2118.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\users_default_appdata_local_microsoft_windows_history_f4337fe0129e212c.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\users_default_appdata_local_microsoft_windows_gameexplorer_5a14824a005868dd.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\programdata.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\programdata_usoshared_logs_user_cc47ba2ac1c4ac78.cdf-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\programdata_usoshared_logs_system_1d654048a9eadf5a.cdf-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\programdata_usoprivate_f18983166baec8e8.cdf-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\programdata_ssh_538e540ae643d2cc.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\programdata_softwaredistribution_ae0bdc9bb1bbdfab.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\programdata_microsoft_fe5c6d762edd2110.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\programdata_microsoft_windows_security_health_ef9cc294168a8b97.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\programdata_microsoft_windows_security_health_logs_d0133fe6679072ac.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\programdata_microsoft_windows_security_health_health_advisor_caf4bd491726b327.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\programdata_microsoft_windows_cae2264614449191.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\programdata_microsoft_windows_wer_temp_783673b09e921b6b.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\programdata_microsoft_windows_wer_reportqueue_9ca35f30fc68b178.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\programdata_microsoft_windows_wer_reportarchive_5449504010b82c41.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\programdata_microsoft_windows_templates_15e72976404301fc.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\programdata_microsoft_windows_start_menu_fde55420546edfe6.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\programdata_microsoft_windows_start_menu_programs_d672ba09d81e87ff.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\programdata_microsoft_windows_start_menu_programs_system_tools_fde5decba5bb578b.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\programdata_microsoft_windows_start_menu_programs_startup_b13751030220a596.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\programdata_microsoft_windows_start_menu_programs_administrative_tools_50eba26877c48094.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\programdata_microsoft_windows_packagedeventproviders_c79719361ec06661.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\programdata_microsoft_windows_gameexplorer_eb83b477ca9834cc.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\programdata_microsoft_windows_devicemetadatastore_2e1ff34936d2e8e5.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\programdata_microsoft_windows_clipsvc_debc96072b71b0d5.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\programdata_microsoft_windows_clipsvc_install_149a5029c4c64782.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\programdata_microsoft_windows_clipsvc_import_865699c21a2ad5a2.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\programdata_microsoft_windows_clipsvc_genuineticket_d7322dcf4073011e.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\programdata_microsoft_windows_clipsvc_archive_f622c70ff2ada08b.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\programdata_microsoft_windows_apprepository_3e49394d38e6ac94.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\programdata_microsoft_windows_apprepository_packages_711aa2dd7039ca9d.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\programdata_microsoft_windows_apprepository_families_5e2e105f8c5e974e.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\programdata_microsoft_speech_onecore_587c58cfbeda0062.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\programdata_microsoft_network_downloader_7fafaef6d33e4371.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\programdata_microsoft_crypto_pcpksp_windowsaik_cb9775b914a8e5a2.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\program_files_x86__676bbe2c7241b694.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\program_files_x86_windows_media_player_e9607c93dd43c2ea.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\program_files_x86_windows_media_player_network_sharing_f29a3dd721834a7e.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\program_files_x86_windows_media_player_media_renderer_750773e49fdbfa5b.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\program_files_x86_internet_explorer_cafab575245eacb0.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\program_files_ffd0cbfc813cc4f1.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\program_files_windowsapps_8909e9aceeb80d44.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\program_files_windowsapps_mutablebackup_726f6fa1fbd23cbc.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\program_files_windowsapps_mutable_4773d03dc650afca.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\program_files_windowsapps_deleted_382e0caddd5f5e75.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\program_files_windows_media_player_da4e5f6eb3198de9.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\program_files_windows_media_player_network_sharing_aed05552f451fd7d.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\program_files_windows_media_player_media_renderer_5001a1a5de706f6e.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\program_files_windows_defender_3e33901162166ae9.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\program_files_windows_defender_zh-cn_a607efc90bb51673.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\program_files_windows_defender_en-us_a607fb510b9fff95.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\program_files_modifiablewindowsapps_230f2b3b95f10a16.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\program_files_internet_explorer_a421d1bfaf856e2b.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$recycle.bin.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Program Files\Internet Explorer\iediagcmd.exe Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Program Files\Internet Explorer\IEShims.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Program Files\Windows Defender\DefenderCSP.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Program Files\Windows Defender\MpEvMsg.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Program Files\Windows Defender\ProtectionManagement.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Program Files\Windows Defender\en-US\MpEvMsg.dll.mui Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Program Files\Windows Defender\zh-CN\MpEvMsg.dll.mui Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Program Files (x86)\Internet Explorer\IEShims.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\explorer.exe Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\apppatch\AcRes.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\apppatch\drvmain.sdb Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\apppatch\sysmain.sdb Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\apppatch\en-US\AcRes.dll.mui Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\apppatch\zh-CN\AcRes.dll.mui Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\bcastdvr\KnownGameList.bin Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Boot\DVD\EFI\en-US\efisys.bin Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Boot\DVD\EFI\en-US\efisys_noprompt.bin Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Boot\PCAT\qps-ploc\bootmgr.exe.mui Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.bin Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\ImmersiveControlPanel\SystemSettings.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\ImmersiveControlPanel\SystemSettingsViewModel.Desktop.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\ImmersiveControlPanel\Telemetry.Common.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\ImmersiveControlPanel\en-US\SystemSettings.exe.mui Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\ImmersiveControlPanel\zh-CN\SystemSettings.exe.mui Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\INF\apps.inf Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\INF\printupg.inf Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\INF\sceregvl.inf Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\INF\secrecs.inf Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\PolicyDefinitions\en-US\TextInput.adml Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\PolicyDefinitions\zh-CN\InetRes.adml Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\PolicyDefinitions\zh-CN\TextInput.adml Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\PrintDialog\PrintDialog.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Provisioning\Cosa\Microsoft\Microsoft.Windows.Cosa.Desktop.Client.ppkg Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\servicing\TrustedInstaller.exe Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\servicing\Editions\EditionMatrix.xml Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\ShellExperiences\ClockFlyoutExperience.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\ShellExperiences\DevicesFlowUI.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\ShellExperiences\Insights.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\ShellExperiences\MtcUvc.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\ShellExperiences\PenWorkspace.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\ShellExperiences\PeopleCommonControls.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\ShellExperiences\PeoplePane.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\ShellExperiences\ScreenClipping.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\AarSvc.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\acmigration.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\ActivationManager.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\aeinv.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\agentactivationruntime.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\agentactivationruntimewindows.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\appinfo.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\ApplicationControlCSP.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\ApplyTrustOffline.exe Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\appraiser.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\AppxAllUserStore.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\AppXApplicabilityBlob.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\AppXDeploymentClient.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\AppXDeploymentExtensions.desktop.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\AppXDeploymentExtensions.onecore.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\AppXDeploymentServer.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\asycfilt.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\audiodg.exe Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\AudioEndpointBuilder.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\AudioEng.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\AUDIOKSE.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\audioresourceregistrar.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\AudioSes.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\audiosrv.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\autopilot.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\autopilotdiag.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\AxInstSv.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\AxInstUI.exe Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\BarcodeProvisioningPlugin.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\BCP47Langs.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\BCP47mrm.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\bindflt.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\bisrv.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\cdp.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\cdpsvc.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\cellulardatacapabilityhandler.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\Chakra.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\Chakradiag.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\Chakrathunk.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\clfsw32.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\ClipSVC.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\ClipUp.exe Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\cloudAP.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\clusapi.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\combase.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\comctl32.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\comdlg32.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\compstui.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\computecore.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\ConhostV1.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\CPFilters.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\crypt32.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\cryptcatsvc.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\CustomInstallExec.exe Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\DAFMCP.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\DafPrintProvider.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\daxexec.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\Defrag.exe Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\defragsvc.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\DeviceDirectoryClient.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\DeviceMetadataRetrievalClient.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\DevicePairingExperienceMEM.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\DeviceReactivation.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\DeviceUpdateAgent.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\dfrgui.exe Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\DiagnosticLogCSP.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\diagtrack.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\directml.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\DispBroker.Desktop.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\DMAlertListener.ProxyStub.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\dmcmnutils.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\DolbyDecMFT.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\dosvc.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\dot3api.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\dot3msm.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\dot3svc.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\DrtmAuth1.bin Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\DrtmAuth10.bin Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\DrtmAuth11.bin Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\DrtmAuth12.bin Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\DrtmAuth2.bin Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\DrtmAuth3.bin Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\DrtmAuth4.bin Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\DrtmAuth5.bin Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\DrtmAuth6.bin Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\DrtmAuth7.bin Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\DrtmAuth8.bin Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\DrtmAuth9.bin Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\DscCore.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\dssvc.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\dstokenclean.exe Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\DTUHandler.exe Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\dusmapi.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\dusmsvc.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\dusmtask.exe Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\dwmcore.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\DWWIN.EXE Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\dxgi.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\EdgeContent.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\edgehtml.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\edgeIso.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\EdgeManager.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\EditBufferTestHook.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\EditionUpgradeHelper.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\EditionUpgradeManagerObj.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\enterprisecsps.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\EnterpriseDesktopAppMgmtCSP.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\enterpriseresourcemanager.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\esent.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\Faultrep.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\FaxPrinterInstaller.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\fdSSDP.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\fdWSD.dll Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\findnetprinters.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\FntCache.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\FrameServer.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\FSClient.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\FsIso.exe Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\gdi32full.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\GdiPlus.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\globinputhost.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\GraphicsCapture.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\HologramCompositor.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\HologramWorld.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\HolographicExtensions.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\hvax64.exe Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\hvix64.exe Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\hvloader.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\Hydrogen.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\icsunattend.exe Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\ie4uinit.exe Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\iedkcs32.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\ieframe.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\iemigplugin.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\ieproxy.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\iertutil.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\ImplatSetup.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\IndexedDbLegacy.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\inetcpl.cpl Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\InputLocaleManager.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\InputService.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\InstallService.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\InstallServiceTasks.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\invagent.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\ipnathlp.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\iprtprio.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\iprtrmgr.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\ISM.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\jscript.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\jscript9.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\jscript9diag.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\jsproxy.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\kdhvcom.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\kerberos.dll Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\KernelBase.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\keyiso.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\KnobsCore.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\KnobsCsp.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\LangCleanupSysprepAction.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\LanguageComponentsInstaller.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\LaunchTM.exe Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\LaunchWinApp.exe Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\LicensingWinRT.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\localspl.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\logoncli.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\lpksetup.exe Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\lpksetupproxyserv.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\lpremove.exe Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\MBMediaManager.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\MBR2GPT.EXE Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\mcicda.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\mciseq.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\mciwave.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\MCRecvSrc.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\MDMAppInstaller.exe Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\MdmDiagnostics.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\mf.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\mf3216.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\mfasfsrcsnk.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\mfcore.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\mfmp4srcsnk.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\mfmpeg2srcsnk.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\mfplat.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\mfreadwrite.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\mfsensorgroup.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\mfsrcsnk.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\mfsvr.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\Microsoft.Graphics.Display.DisplayEnhancementService.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\MicrosoftAccountCloudAP.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\MicrosoftAccountExtension.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\MicrosoftAccountTokenProvider.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\mpnotify.exe Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\mprdim.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\MSAProfileNotificationHandler.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\msauserext.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\msctf.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\msfeeds.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\msfeedsbs.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\msfeedssync.exe Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\MSFlacDecoder.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\MSFlacEncoder.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\mshtml.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\mshtml.tlb Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\msi.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\msimg32.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\msimsg.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\msIso.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\msmpeg2vdec.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\msscntrs.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\mssitlb.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\mssph.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\mssprxy.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\mssrch.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:52    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\mssvp.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\mstscax.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\msutb.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\MUILanguageCleanup.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\musdialoghandlers.dll Handle ID: 0x84 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\MusNotification.exe Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\MusNotificationUx.exe Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\MusNotifyIcon.exe Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\MusUpdateHandlers.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\ncsi.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\NetDriverInstall.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\netlogon.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\netman.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\netprofm.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\netprofmsvc.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\NetSetupApi.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\NetSetupEngine.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\NFCProvisioningPlugin.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\ngcpopkeysrv.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\nlaapi.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\nlasvc.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\nlmproxy.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\nlmsprep.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\notepad.exe Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\NotificationController.dll Handle ID: 0x70 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\npmproxy.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\odbc32.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\ole32.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\oleaut32.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\omadmapi.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\omadmclient.exe Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\OpenWith.exe Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\ortcengine.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\pacjsworker.exe Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\pidgenx.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\pkeyhelper.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\pnpclean.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\printui.exe Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\profapi.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\profext.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\profsvc.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\provdatastore.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\provengine.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\provhandlers.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\provisioningcsp.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\provops.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\provpackageapidll.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\ProvPluginEng.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\ProvSysprep.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\provtool.exe Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\puiapi.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\puiobj.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\qmgr.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\rasmans.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\rdpbase.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\rdpclip.exe Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\rdpcore.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\rdpcorets.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\rdpencom.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\rdpnano.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\rdpserverbase.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\rdpsharercom.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\rdpudd.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\rdpviewerax.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\rdsdwmdr.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\ReAgent.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\recdisc.exe Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\refsutil.exe Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\regapi.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\remoteaudioendpoint.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\RemovableMediaProvisioningPlugin.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\reseteng.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\ResetEngine.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\ResetEngine.exe Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\ResetEngOnline.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\resutils.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\rpcrt4.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\rstrui.exe Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\rtm.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\rtmcodecs.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\rtmmvrortc.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\rtmpal.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\rtmpltfm.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\rtutils.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\runexehelper.exe Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\scecli.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\sdclt.exe Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\sdengin2.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\sdrsvc.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\sdshext.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\Search.ProtocolHandler.MAPI2.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\SearchFilterHost.exe Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\SearchIndexer.exe Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\SearchProtocolHost.exe Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\SecConfig.efi Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\sechost.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\SecurityHealthAgent.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\SecurityHealthHost.exe Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\SecurityHealthProxyStub.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\SecurityHealthService.exe Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\SecurityHealthSSO.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\SecurityHealthSystray.exe Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\SettingsEnvironment.Desktop.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\SettingsHandlers_AppExecutionAlias.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\SettingsHandlers_BackgroundApps.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\SettingsHandlers_CapabilityAccess.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\SettingsHandlers_Language.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\SettingsHandlers_Notifications.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\SettingsHandlers_SpeechPrivacy.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\SettingsHandlers_StorageSense.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\SgrmEnclave_secure.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\shell32.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\slui.exe Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\SpatialAudioLicenseSrv.exe Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\sppcext.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\sppcomapi.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\SppExtComObj.Exe Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\sppobjs.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\sppsvc.exe Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\sppwinob.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\srcore.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\SRH.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\srms.dat Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\srrstr.dll Handle ID: 0x70 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\SrTasks.exe Handle ID: 0x70 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\StartTileData.dll Handle ID: 0x70 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\sti.dll Handle ID: 0x80 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\sti_ci.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\StructuredQuery.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\sxs.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\sxstrace.exe Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\sysmain.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\SysResetErr.exe Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\systemreset.exe Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\SystemSettings.Handlers.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\SystemSettingsAdminFlows.exe Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\SystemSettingsThresholdAdminFlowUI.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\tapisrv.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\Taskmgr.exe Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\tbs.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\TelephonyInteractiveUser.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\TelephonyInteractiveUserRes.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\termsrv.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\TetheringMgr.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\TextInputFramework.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\TextInputMethodFormatter.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\tier2punctuations.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\TpmCertResources.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\TpmCoreProvisioning.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\tquery.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\tsgqec.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\tsmf.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\twinapi.appcore.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\twinapi.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\twinui.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\twinui.pcshell.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\udhisapi.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\uDWM.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\UIAutomationCore.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\UpdateDeploymentProvider.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\upnpcont.exe Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\upnphost.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\uReFS.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\urlmon.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\user32.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\UserLanguageProfileCallback.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\usoapi.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\UsoClient.exe Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\usocoreworker.exe Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\usosvc.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\utcutil.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\vbscript.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\vdsbas.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\vpnike.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\VPNv2CSP.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WaaSMedicAgent.exe Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WaaSMedicCapsule.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WaaSMedicPS.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WaaSMedicSvc.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\wbengine.exe Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\wci.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\wcmcsp.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\wcmsvc.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\webio.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\webplatstorageserver.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WebRuntimeManager.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\Websocket.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\wer.dll Handle ID: 0x84 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\werconcpl.dll Handle ID: 0x84 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\wercplsupport.dll Handle ID: 0x84 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\werdiagcontroller.dll Handle ID: 0x84 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\weretw.dll Handle ID: 0x84 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WerFault.exe Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WerFaultSecure.exe Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\wermgr.exe Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\wersvc.dll Handle ID: 0x70 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\werui.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\wiaaut.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\wiadss.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\wiarpc.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\wiaservc.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\wiatrace.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\wifinetworkmanager.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\wifitask.exe Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\wimgapi.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\wimserv.exe Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\win32appinventorycsp.dll Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\Win32CompatibilityAppraiserCSP.dll Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\win32k.sys Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\win32kbase.sys Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\win32kfull.sys Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\win32spl.dll Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\win32u.dll Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\wincorlib.dll Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\Windows.ApplicationModel.ConversationalAgent.dll Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\Windows.Internal.Management.dll Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\Windows.Internal.Taskbar.dll Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\Windows.Management.EnrollmentStatusTracking.ConfigProvider.dll Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\Windows.Management.Provisioning.ProxyStub.dll Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\Windows.Management.Service.dll Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\Windows.Media.MediaControl.dll Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\Windows.Media.Protection.PlayReady.dll Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\Windows.Media.Speech.dll Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\Windows.Media.Speech.UXRes.dll Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\Windows.Media.Streaming.dll Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\Windows.Mirage.dll Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\Windows.Mirage.Internal.dll Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\Windows.Security.Authentication.OnlineId.dll Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\windows.storage.dll Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\Windows.System.Launcher.dll Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\Windows.UI.AppDefaults.dll Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\Windows.UI.Core.TextInput.dll Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\Windows.UI.FileExplorer.dll Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\Windows.UI.Immersive.dll Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\Windows.UI.Xaml.dll Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsCodecs.dll Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsManagementServiceWinRt.ProxyStub.dll Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\windowsperformancerecordercontrol.dll Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\winhttp.dll Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\wininet.dll Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\Winlangdb.dll Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\winlogon.exe Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\winmde.dll Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\winspool.drv Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WinTypes.dll Handle ID: 0x84 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WiredNetworkCSP.dll Handle ID: 0x84 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\wlidprov.dll Handle ID: 0x84 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\wlidsvc.dll Handle ID: 0x84 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\wlrmdr.exe Handle ID: 0x84 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\wmp.dll Handle ID: 0x84 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WordBreakers.dll Handle ID: 0x84 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WorkFolders.exe Handle ID: 0x84 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WorkfoldersControl.dll Handle ID: 0x84 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WorkFoldersShell.dll Handle ID: 0x84 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\workfolderssvc.dll Handle ID: 0x84 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\wow64.dll Handle ID: 0x84 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\wow64cpu.dll Handle ID: 0x84 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\wpncore.dll Handle ID: 0x84 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\wpnprv.dll Handle ID: 0x84 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\wpnservice.dll Handle ID: 0x84 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\wsecedit.dll Handle ID: 0x84 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WsmAgent.dll Handle ID: 0x84 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WSManHTTPConfig.exe Handle ID: 0x84 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WSManMigrationPlugin.dll Handle ID: 0x84 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WsmAuto.dll Handle ID: 0x84 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\wsmplpxy.dll Handle ID: 0x84 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\wsmprovhost.exe Handle ID: 0x84 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WsmRes.dll Handle ID: 0x84 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WsmSvc.dll Handle ID: 0x84 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WsmWmiPl.dll Handle ID: 0x84 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\wsqmcons.exe Handle ID: 0x84 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\wuauclt.exe Handle ID: 0x84 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\wuaueng.dll Handle ID: 0x84 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\wups2.dll Handle ID: 0x84 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\wuuhosdeployment.dll Handle ID: 0x84 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\wwanprotdim.dll Handle ID: 0x84 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\wwansvc.dll Handle ID: 0x84 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\XpsDocumentTargetPrint.dll Handle ID: 0x84 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\XpsPrint.dll Handle ID: 0x84 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\xpsservices.dll Handle ID: 0x84 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\Boot\winload.efi Handle ID: 0x84 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\Boot\winload.exe Handle ID: 0x84 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\de-DE\Windows.Media.Speech.UXRes.dll.mui Handle ID: 0x84 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\DiagSvcs\DiagnosticsHub.Packaging.dll Handle ID: 0x84 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Proxy.dll Handle ID: 0x84 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Runtime.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.ServiceRes.dll Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\DiagSvcs\KernelTraceControl.dll Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\Dism\CbsProvider.dll Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\Dism\DmiProvider.dll Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\Dism\FfuProvider.dll Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\Dism\GenericProvider.dll Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\Dism\ImagingProvider.dll Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\Dism\IntlProvider.dll Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\Dism\OfflineSetupProvider.dll Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\Dism\OSProvider.dll Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\Dism\ProvProvider.dll Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\Dism\SmiProvider.dll Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\Dism\TransmogProvider.dll Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\Dism\UnattendProvider.dll Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\Dism\VhdProvider.dll Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\Dism\WimProvider.dll Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\Dism\en-US\TransmogProvider.dll.mui Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\Dism\zh-CN\TransmogProvider.dll.mui Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\drivers\Acx01000.sys Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\drivers\afunix.sys Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\drivers\agilevpn.sys Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\drivers\bindflt.sys Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\drivers\Classpnp.sys Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\drivers\cldflt.sys Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\drivers\http.sys Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\drivers\hvservice.sys Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\drivers\KNetPwrDepBroker.sys Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\drivers\NdisImPlatform.sys Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\drivers\rdpvideominiport.sys Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\drivers\srv2.sys Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\drivers\srvnet.sys Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\drivers\tbs.sys Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\drivers\wcifs.sys Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\drivers\wimmount.sys Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\drivers\UMDF\IddCx.dll Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\autopilotdiag.dll.mui Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\clipsvc.dll.mui Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\deviceregistration.dll.mui Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\DictationManager.dll.mui Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\dsreg.dll.mui Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\dsregcmd.exe.mui Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\dsregtask.dll.mui Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\eappgnui.dll.mui Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\eapphost.dll.mui Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\eapsvc.dll.mui Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\EditionUpgradeManagerObj.dll.mui Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\ieframe.dll.mui Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\MitigationClient.dll.mui Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\MusNotifyIcon.exe.mui Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\MusUpdateHandlers.dll.mui Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\SecurityHealthAgent.dll.mui Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\SettingsHandlers_OneDriveBackup.dll.mui Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\SimAuth.dll.mui Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\slui.exe.mui Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\sppcomapi.dll.mui Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\TtlsAuth.dll.mui Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\TtlsCfg.dll.mui Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\UserDeviceRegistration.dll.mui Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\UserDeviceRegistration.Ngc.dll.mui Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\Win32_DeviceGuard.dll.mui Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\wsecedit.dll.mui Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\fr-CA\Windows.Media.Speech.UXRes.dll.mui Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\fr-FR\Windows.Media.Speech.UXRes.dll.mui Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\IME\SHARED\ImeBroker.exe Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\IME\SHARED\ImeBrokerps.dll Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\ja-jp\Windows.Media.Speech.UXRes.dll.mui Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\migration\AppxUpgradeMigrationPlugin.dll Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\migration\ClipMigPlugin.dll Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\migration\dafmigplugin.dll Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\migration\msctfmig.dll Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\migration\shmig.dll Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\migration\sppmig.dll Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\migration\SxsMigPlugin.dll Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\migration\WSearchMigPlugin.dll Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\migwiz\dlmanifests\Microsoft-Windows-TextServicesFramework-Migration-DL\chxmig.dll Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\migwiz\dlmanifests\Microsoft-Windows-TextServicesFramework-Migration-DL\imjpmig.dll Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\migwiz\dlmanifests\Microsoft-Windows-TextServicesFramework-Migration-DL\imkrmig.dll Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\migwiz\dlmanifests\Microsoft-Windows-TextServicesFramework-Migration-DL\msctfmig.dll Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\migwiz\dlmanifests\Microsoft-Windows-TextServicesFramework-Migration-DL\TableTextServiceMig.dll Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\migwiz\replacementmanifests\International-core-replacement.man Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\migwiz\replacementmanifests\shmig-replacement.man Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\migwiz\replacementmanifests\microsoft-windows-shmig\shmig.dll Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\migwiz\replacementmanifests\Microsoft-Windows-TextServicesFramework-Migration\msctfmig.dll Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\oobe\cmisetup.dll Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\oobe\winsetup.dll Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationInput.dll Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationInput.exe Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\setup\RasMigPlugin.dll Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\Speech_OneCore\common\sapi_extensions.dll Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\Speech_OneCore\common\sapi_onecore.dll Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\Speech_OneCore\common\SpeechModelDownload.exe Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\Speech_OneCore\common\SpeechRuntime.exe Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\spool\prtprocs\x64\winprint.dll Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\spp\plugin-manifests-signed\sppobjs-spp-plugin-manifest-signed.xrm-ms Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\spp\plugin-manifests-signed\sppwinob-spp-plugin-manifest-signed.xrm-ms Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\spp\tokens\skus\Core\Core-OEM-DM-1-pl-rtm.xrm-ms Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\spp\tokens\skus\Core\Core-OEM-DM-1-ul-oob-rtm.xrm-ms Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\spp\tokens\skus\Core\Core-OEM-DM-1-ul-phn-rtm.xrm-ms Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\spp\tokens\skus\Core\Core-OEM-DM-1-ul-store-rtm.xrm-ms Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\spp\tokens\skus\Core\Core-OEM-DM-2-pl-rtm.xrm-ms Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\spp\tokens\skus\Core\Core-OEM-DM-2-ul-oob-rtm.xrm-ms Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\spp\tokens\skus\Core\Core-OEM-DM-2-ul-phn-rtm.xrm-ms Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\spp\tokens\skus\Core\Core-OEM-DM-2-ul-store-rtm.xrm-ms Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\spp\tokens\skus\Core\Core-OEM-DM-3-pl-rtm.xrm-ms Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\spp\tokens\skus\Core\Core-OEM-DM-3-ul-oob-rtm.xrm-ms Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\spp\tokens\skus\Core\Core-OEM-DM-3-ul-phn-rtm.xrm-ms Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\spp\tokens\skus\Core\Core-OEM-DM-3-ul-store-rtm.xrm-ms Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\spp\tokens\skus\Core\Core-OEM-DM-4-pl-rtm.xrm-ms Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\spp\tokens\skus\Core\Core-OEM-DM-4-ul-oob-rtm.xrm-ms Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\spp\tokens\skus\Core\Core-OEM-DM-4-ul-phn-rtm.xrm-ms Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\spp\tokens\skus\Core\Core-OEM-DM-4-ul-store-rtm.xrm-ms Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\spp\tokens\skus\Core\Core-OEM-NONSLP-1-pl-rtm.xrm-ms Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\spp\tokens\skus\Core\Core-OEM-NONSLP-1-ul-oob-rtm.xrm-ms Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\spp\tokens\skus\Core\Core-OEM-NONSLP-1-ul-phn-rtm.xrm-ms Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\spp\tokens\skus\Core\Core-OEM-NONSLP-1-ul-store-rtm.xrm-ms Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\spp\tokens\skus\Core\Core-Retail-1-pl-rtm.xrm-ms Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\spp\tokens\skus\Core\Core-Retail-1-ul-oob-rtm.xrm-ms Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\spp\tokens\skus\Core\Core-Retail-1-ul-phn-rtm.xrm-ms Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\spp\tokens\skus\Core\Core-Retail-1-ul-store-rtm.xrm-ms Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\spp\tokens\skus\Core\Core-Retail-2-pl-rtm.xrm-ms Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\spp\tokens\skus\Core\Core-Retail-2-ul-oob-rtm.xrm-ms Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\spp\tokens\skus\Core\Core-Retail-2-ul-phn-rtm.xrm-ms Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\spp\tokens\skus\Core\Core-Retail-2-ul-store-rtm.xrm-ms Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\spp\tokens\skus\Core\Core-Retail-3-pl-rtm.xrm-ms Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\spp\tokens\skus\Core\Core-Retail-3-ul-oob-rtm.xrm-ms Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\spp\tokens\skus\Core\Core-Retail-3-ul-phn-rtm.xrm-ms Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\spp\tokens\skus\Core\Core-Retail-3-ul-store-rtm.xrm-ms Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\spp\tokens\skus\Core\Core-Retail-4-pl-rtm.xrm-ms Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\spp\tokens\skus\Core\Core-Retail-4-ul-oob-rtm.xrm-ms Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\spp\tokens\skus\Core\Core-Retail-4-ul-phn-rtm.xrm-ms Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\spp\tokens\skus\Core\Core-Retail-4-ul-store-rtm.xrm-ms Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\spp\tokens\skus\Core\Core-Volume-GVLK-1-ul-oob-rtm.xrm-ms Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\spp\tokens\skus\Core\Core-Volume-GVLK-1-ul-rtm.xrm-ms Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\spp\tokens\skus\CoreSingleLanguage\CoreSingleLanguage-OEM-DM-1-pl-rtm.xrm-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\spp\tokens\skus\CoreSingleLanguage\CoreSingleLanguage-OEM-DM-1-ul-oob-rtm.xrm-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\spp\tokens\skus\CoreSingleLanguage\CoreSingleLanguage-OEM-DM-1-ul-phn-rtm.xrm-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\spp\tokens\skus\CoreSingleLanguage\CoreSingleLanguage-OEM-DM-1-ul-store-rtm.xrm-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\spp\tokens\skus\CoreSingleLanguage\CoreSingleLanguage-OEM-DM-2-pl-rtm.xrm-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\spp\tokens\skus\CoreSingleLanguage\CoreSingleLanguage-OEM-DM-2-ul-oob-rtm.xrm-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\spp\tokens\skus\CoreSingleLanguage\CoreSingleLanguage-OEM-DM-2-ul-phn-rtm.xrm-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\spp\tokens\skus\CoreSingleLanguage\CoreSingleLanguage-OEM-DM-2-ul-store-rtm.xrm-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\spp\tokens\skus\CoreSingleLanguage\CoreSingleLanguage-OEM-DM-3-pl-rtm.xrm-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\spp\tokens\skus\CoreSingleLanguage\CoreSingleLanguage-OEM-DM-3-ul-oob-rtm.xrm-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\spp\tokens\skus\CoreSingleLanguage\CoreSingleLanguage-OEM-DM-3-ul-phn-rtm.xrm-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\spp\tokens\skus\CoreSingleLanguage\CoreSingleLanguage-OEM-DM-3-ul-store-rtm.xrm-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\spp\tokens\skus\CoreSingleLanguage\CoreSingleLanguage-OEM-DM-4-pl-rtm.xrm-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\spp\tokens\skus\CoreSingleLanguage\CoreSingleLanguage-OEM-DM-4-ul-oob-rtm.xrm-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\spp\tokens\skus\CoreSingleLanguage\CoreSingleLanguage-OEM-DM-4-ul-phn-rtm.xrm-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\spp\tokens\skus\CoreSingleLanguage\CoreSingleLanguage-OEM-DM-4-ul-store-rtm.xrm-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\spp\tokens\skus\CoreSingleLanguage\CoreSingleLanguage-OEM-DM-5-pl-rtm.xrm-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\spp\tokens\skus\CoreSingleLanguage\CoreSingleLanguage-OEM-DM-5-ul-oob-rtm.xrm-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\spp\tokens\skus\CoreSingleLanguage\CoreSingleLanguage-OEM-DM-5-ul-phn-rtm.xrm-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\spp\tokens\skus\CoreSingleLanguage\CoreSingleLanguage-OEM-DM-5-ul-store-rtm.xrm-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\spp\tokens\skus\CoreSingleLanguage\CoreSingleLanguage-OEM-DM-6-pl-rtm.xrm-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\spp\tokens\skus\CoreSingleLanguage\CoreSingleLanguage-OEM-DM-6-ul-oob-rtm.xrm-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\spp\tokens\skus\CoreSingleLanguage\CoreSingleLanguage-OEM-DM-6-ul-phn-rtm.xrm-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\spp\tokens\skus\CoreSingleLanguage\CoreSingleLanguage-OEM-DM-6-ul-store-rtm.xrm-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\spp\tokens\skus\CoreSingleLanguage\CoreSingleLanguage-OEM-NONSLP-1-pl-rtm.xrm-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\spp\tokens\skus\CoreSingleLanguage\CoreSingleLanguage-OEM-NONSLP-1-ul-oob-rtm.xrm-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\spp\tokens\skus\CoreSingleLanguage\CoreSingleLanguage-OEM-NONSLP-1-ul-phn-rtm.xrm-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\spp\tokens\skus\CoreSingleLanguage\CoreSingleLanguage-OEM-NONSLP-1-ul-store-rtm.xrm-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\spp\tokens\skus\CoreSingleLanguage\CoreSingleLanguage-Retail-1-pl-rtm.xrm-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\spp\tokens\skus\CoreSingleLanguage\CoreSingleLanguage-Retail-1-ul-oob-rtm.xrm-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\spp\tokens\skus\CoreSingleLanguage\CoreSingleLanguage-Retail-1-ul-phn-rtm.xrm-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\spp\tokens\skus\CoreSingleLanguage\CoreSingleLanguage-Retail-1-ul-store-rtm.xrm-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\spp\tokens\skus\CoreSingleLanguage\CoreSingleLanguage-Volume-GVLK-1-ul-oob-rtm.xrm-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\spp\tokens\skus\CoreSingleLanguage\CoreSingleLanguage-Volume-GVLK-1-ul-rtm.xrm-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\SystemResetPlatform\RjvClassicApp.dll Handle ID: 0x70 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\UNP\UNPUX.dll Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\UNP\UNPUXHost.exe Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\UNP\UNPUXLauncher.exe Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\UNP\UpdateNotificationHelpers.dll Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\UNP\UpdateNotificationMgr.exe Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\wbem\cimwin32.dll Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\wbem\ndisimplatcim.dll Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\wbem\netswitchteamcim.dll Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WinBioPlugIns\FaceBootstrapAdapter.dll Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WinBioPlugIns\FaceFodUninstaller.exe Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WinBioPlugIns\FaceDriver\HelloFace.cat Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WinBioPlugIns\FaceDriver\HelloFace.inf Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WinBioPlugIns\FaceDriver\amd64\FaceDetectorResources.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WinBioPlugIns\FaceDriver\amd64\FaceProcessor.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WinBioPlugIns\FaceDriver\amd64\FaceProcessorCore.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WinBioPlugIns\FaceDriver\amd64\FaceRecognitionEngineAdapter.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WinBioPlugIns\FaceDriver\amd64\FaceRecognitionEngineAdapterResources_v4.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WinBioPlugIns\FaceDriver\amd64\FaceRecognitionEngineAdapterResourcesCore.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WinBioPlugIns\FaceDriver\amd64\FaceRecognitionEngineAdapterResourcesSecure.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WinBioPlugIns\FaceDriver\amd64\FaceRecognitionSensorAdapter.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WinBioPlugIns\FaceDriver\amd64\FaceRecognitionSensorAdapterResources.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WinBioPlugIns\FaceDriver\amd64\FaceRecognitionSensorAdapterVsm.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WinBioPlugIns\FaceDriver\amd64\FaceRecognitionSensorAdapterVsmSecure.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WinBioPlugIns\FaceDriver\amd64\FaceTrackerInternal.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Provisioning\provpackageapi.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\zh-CN\autopilotdiag.dll.mui Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\zh-CN\clipsvc.dll.mui Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\zh-CN\deviceregistration.dll.mui Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\zh-CN\DictationManager.dll.mui Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\zh-CN\dsreg.dll.mui Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\zh-CN\dsregcmd.exe.mui Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\zh-CN\dsregtask.dll.mui Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\zh-CN\eappgnui.dll.mui Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\zh-CN\eapphost.dll.mui Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\zh-CN\eapsvc.dll.mui Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\zh-CN\EditionUpgradeManagerObj.dll.mui Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\zh-CN\ieframe.dll.mui Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\zh-CN\MitigationClient.dll.mui Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\zh-CN\MusNotifyIcon.exe.mui Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\zh-CN\MusUpdateHandlers.dll.mui Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\zh-CN\SecurityHealthAgent.dll.mui Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\zh-CN\SettingsHandlers_OneDriveBackup.dll.mui Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\zh-CN\SimAuth.dll.mui Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\zh-CN\slui.exe.mui Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\zh-CN\sppcomapi.dll.mui Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\zh-CN\TtlsAuth.dll.mui Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\zh-CN\TtlsCfg.dll.mui Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\zh-CN\UserDeviceRegistration.dll.mui Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\zh-CN\UserDeviceRegistration.Ngc.dll.mui Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\zh-CN\Win32_DeviceGuard.dll.mui Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\zh-CN\wsecedit.dll.mui Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\AccountsControlUI.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\Cortana.ObjectModel.winmd Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\eData.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\eModel.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\eView.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftPdfReader.exe Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\NewTabPageHost.ObjectModel.winmd Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\resources.pri Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\AntiTheft.winmd Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\CloudDomainJoin.DataModel.winmd Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\cloudexperiencehostapi.provisioning.winmd Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\CloudExperienceHostAPI.SyncSettings.winmd Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\CloudExperienceHostAPI.winmd Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\CloudExperienceHostBroker.Account.winmd Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\CloudExperienceHostBroker.Cortana.winmd Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\CloudExperienceHostBroker.Hello.winmd Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\CloudExperienceHostBroker.LocalNgc.winmd Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\CloudExperienceHostBroker.RetailDemo.winmd Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\CloudExperienceHostBroker.SyncEngine.winmd Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\ContentManagement.winmd Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\enterprisedevicemanagement.enrollment.winmd Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\enterprisedevicemanagement.service.winmd Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\Family.Cache.winmd Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\Microsoft.CloudExperienceHost.dll Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\Microsoft.CloudExperienceHost.winmd Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\microsoft.resourceaccountmanager.winmd Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\MicrosoftAccount.Extension.winmd Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\MicrosoftAccount.TokenProvider.Core.dll Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\MicrosoftAccount.TokenProvider.Core.winmd Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\MicrosoftAccount.UserOperations.winmd Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\RetailDemo.Internal.winmd Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\SystemSettings.DataModel.winmd Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\UnifiedEnrollment.DataModel.winmd Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\userdeviceregistration.ngc.winmd Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\data\prod\navigation-scoobe.json Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\js\unifiedEnrollment.js Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\inclusiveOobe\js\oobelocalaccount-vm.js Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\inclusiveOobe\view\oobelocalaccount-main.html Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\ContentDeliveryManager.Background.dll Handle ID: 0x8c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\ActionUriProxyStub.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\ActionUriServer.exe Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\BingConfigurationClient.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\BingLocalSearchService.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\CGSVCBackgroundTask.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\ContactPermissionsActionUriHandlers.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\ContactPermissionsProxyStub.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.Actions.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.ActionUriHandlers.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.AppToApp.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.BackgroundTask.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.ContactPermissions.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.Core.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.DoNotDisturb.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.IntentExtraction.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.Internal.Search.winmd Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.LocalSearch.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.ObjectModel.winmd Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.Places.ViewModels.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.Reminders.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.Search.winmd Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.Signals.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.SmartExtraction.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.SPA.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.SPA.ProxyStub.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.SPA.winmd Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.Sync.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.Sync.Worker.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.Tips.winmd Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\CortanaApi.CppWinrt.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\CortanaApi.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\CortanaApi.ProxyStub.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\CortanaCoreProxyStub.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\CortanaSignalsManagerProxyStub.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\CortanaSignalsProxyStub.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\CortanaSpeechux.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\CortanaSpeechUXRes.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\CortanaSyncProxyStub.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\DNDActionUriHandlers.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\DoNotDisturbProxyStub.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\JsonReader.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\microsoft.bing.client.graph.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\OnlineServices.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\PhonePCVoiceAgents.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\PlacesAutoSuggestProxyStub.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\PlacesProxyStub.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\PlacesServer.exe Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\PPIVoiceAgents.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\ReactiveAgentsCommon.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\ReminderActionUriHandlers.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\RemindersProxyStub.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\RemindersServer.exe Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\RemindersShareTargetApp.exe Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\RemindersUI.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\resources.pri Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\RulesActionUriHandler.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\RulesBackgroundTasks.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\RulesProxyStub.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\RulesService.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\RulesServiceProxyStub.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SAPIBackgroundTask.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SharedVoiceAgents.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\ShellActionUriHandlers.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SignalsManager.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\TextEntityExtractorProxy.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\tws.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\VadSharedVoiceAgents.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\VoiceAgentsCommon.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\resources.pri Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SecHealthUI.exe Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SecHealthUIAppShell.winmd Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SecHealthUIDataModel.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SecHealthUIDataModel.winmd Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SecHealthUITelemetry.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SecHealthUITelemetry.winmd Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SecHealthUIViewModels.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SecHealthUIViewModels.winmd Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemResources\Chakra.dll.mun Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemResources\comdlg32.dll.mun Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemResources\compstui.dll.mun Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemResources\crypt32.dll.mun Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemResources\dwmcore.dll.mun Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemResources\edgehtml.dll.mun Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemResources\ieframe.dll.mun Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemResources\LaunchTM.exe.mun Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemResources\msctf.dll.mun Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemResources\mshtml.dll.mun Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemResources\mssvp.dll.mun Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemResources\mstscax.dll.mun Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemResources\msutb.dll.mun Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemResources\notepad.exe.mun Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemResources\SearchIndexer.exe.mun Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemResources\shell32.dll.mun Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemResources\sppcomapi.dll.mun Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemResources\Taskmgr.exe.mun Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemResources\tquery.dll.mun Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemResources\twinui.dll.mun Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemResources\Windows.UI.Immersive.dll.mun Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemResources\Winlangdb.dll.mun Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemResources\wsecedit.dll.mun Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemResources\Microsoft.Windows.SecHealthUI\Microsoft.Windows.SecHealthUI.pri Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemResources\Windows.UI.SettingsAppThreshold\Windows.UI.SettingsAppThreshold.pri Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemResources\Windows.UI.SettingsAppThreshold\pris\Windows.UI.SettingsAppThreshold.en-US.pri Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemResources\Windows.UI.SettingsAppThreshold\pris\Windows.UI.SettingsAppThreshold.zh-CN.pri Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemResources\Windows.UI.SettingsAppThreshold\SystemSettings\Assets\Fonts\SetMDL2.ttf Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\ActivationManager.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\AppxAllUserStore.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\AppXDeploymentClient.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\asycfilt.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\AudioEng.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\AUDIOKSE.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\AudioSes.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\BCP47Langs.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\BCP47mrm.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\cdp.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\Chakra.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\Chakradiag.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\Chakrathunk.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\clfsw32.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\clusapi.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\combase.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\comctl32.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\comdlg32.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\compstui.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\CPFilters.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\crypt32.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\DafPrintProvider.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\daxexec.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\DeviceReactivation.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\dfrgui.exe Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\directml.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\DMAlertListener.ProxyStub.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\dmcmnutils.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\DolbyDecMFT.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\dot3api.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\dot3msm.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\DWWIN.EXE Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\dxgi.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\edgehtml.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\edgeIso.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\EdgeManager.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\EditionUpgradeHelper.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\EditionUpgradeManagerObj.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\enterpriseresourcemanager.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\esent.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\explorer.exe Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\Faultrep.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\fdSSDP.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\fdWSD.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\findnetprinters.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\gdi32full.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\GdiPlus.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\globinputhost.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\GraphicsCapture.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\iedkcs32.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\ieframe.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\iemigplugin.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\ieproxy.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\iertutil.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\IndexedDbLegacy.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\inetcpl.cpl Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\InstallService.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\InstallServiceTasks.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\iprtprio.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\iprtrmgr.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\jscript.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\jscript9.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\jscript9diag.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\jsproxy.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\kerberos.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\KernelBase.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\keyiso.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\LaunchTM.exe Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\LaunchWinApp.exe Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\LicensingWinRT.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\logoncli.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\mcicda.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\mciseq.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\mciwave.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\MCRecvSrc.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\mf.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\mf3216.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\mfasfsrcsnk.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\mfcore.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\mfmp4srcsnk.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\mfmpeg2srcsnk.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\mfplat.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\mfreadwrite.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\mfsrcsnk.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\mfsvr.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\MicrosoftAccountTokenProvider.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\mprdim.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\msauserext.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\msctf.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\msfeeds.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\msfeedsbs.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\msfeedssync.exe Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\MSFlacDecoder.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\MSFlacEncoder.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\mshtml.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\mshtml.tlb Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\msi.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\msimg32.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\msimsg.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\msIso.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\msmpeg2vdec.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\msscntrs.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\mssitlb.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\mssph.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\mssprxy.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\mssrch.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\mssvp.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\mstscax.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\msutb.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\NetDriverInstall.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\netlogon.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\NetSetupApi.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\NetSetupEngine.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\notepad.exe Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\odbc32.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\ole32.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\oleaut32.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\omadmapi.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\OpenWith.exe Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\ortcengine.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\printui.exe Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\profapi.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\profext.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\puiapi.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\puiobj.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\rdpbase.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\rdpcore.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\rdpencom.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\rdpserverbase.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\rdpsharercom.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\rdpviewerax.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\ReAgent.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\regapi.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\remoteaudioendpoint.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\resutils.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\rpcrt4.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\rtm.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\rtmcodecs.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\rtmmvrortc.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\rtmpal.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\rtmpltfm.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\rtutils.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\scecli.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\Search.ProtocolHandler.MAPI2.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\SearchFilterHost.exe Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\SearchIndexer.exe Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\SearchProtocolHost.exe Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\sechost.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\shell32.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\SpatialAudioLicenseSrv.exe Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\sppcomapi.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\sti.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\StructuredQuery.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\sxs.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\sxstrace.exe Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\tapisrv.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\Taskmgr.exe Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\tbs.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\TpmCertResources.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\TpmCoreProvisioning.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\tquery.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\tsgqec.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\tsmf.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\twinapi.appcore.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\twinapi.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\twinui.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\udhisapi.dll Handle ID: 0x84 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\UIAutomationCore.dll Handle ID: 0x84 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\upnpcont.exe Handle ID: 0x84 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\upnphost.dll Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\uReFS.dll Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\urlmon.dll Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\user32.dll Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\UserLanguageProfileCallback.dll Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\usoapi.dll Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\vbscript.dll Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\webio.dll Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\webplatstorageserver.dll Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\Websocket.dll Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\wer.dll Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\werdiagcontroller.dll Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\weretw.dll Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WerFault.exe Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WerFaultSecure.exe Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\wermgr.exe Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\werui.dll Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\wiaaut.dll Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\wiadss.dll Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\wiatrace.dll Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\wimgapi.dll Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\win32k.sys Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\win32kfull.sys Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\win32u.dll Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\wincorlib.dll Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\Windows.Internal.Management.dll Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\Windows.Media.MediaControl.dll Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\Windows.Media.Protection.PlayReady.dll Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\Windows.Media.Speech.dll Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\Windows.Media.Streaming.dll Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\Windows.Mirage.dll Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\Windows.Mirage.Internal.dll Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\Windows.Security.Authentication.OnlineId.dll Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\windows.storage.dll Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\Windows.System.Launcher.dll Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\Windows.UI.FileExplorer.dll Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\Windows.UI.Immersive.dll Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsCodecs.dll Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\windowsperformancerecordercontrol.dll Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\winhttp.dll Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\wininet.dll Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\Winlangdb.dll Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\winspool.drv Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WinTypes.dll Handle ID: 0x84 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\wlidprov.dll Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\wmp.dll Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\wsecedit.dll Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WsmAgent.dll Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WSManHTTPConfig.exe Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WSManMigrationPlugin.dll Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WsmAuto.dll Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\wsmplpxy.dll Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\wsmprovhost.exe Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WsmRes.dll Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WsmSvc.dll Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WsmWmiPl.dll Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\XpsDocumentTargetPrint.dll Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\XpsPrint.dll Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\Dism\CbsProvider.dll Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\Dism\DmiProvider.dll Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\Dism\FfuProvider.dll Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\Dism\GenericProvider.dll Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\Dism\ImagingProvider.dll Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\Dism\IntlProvider.dll Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\Dism\OfflineSetupProvider.dll Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\Dism\OSProvider.dll Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\Dism\ProvProvider.dll Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\Dism\SmiProvider.dll Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\Dism\TransmogProvider.dll Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\Dism\UnattendProvider.dll Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\Dism\VhdProvider.dll Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\Dism\WimProvider.dll Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\drivers\afunix.sys Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\migration\msctfmig.dll Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\migration\shmig.dll Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\migration\SxsMigPlugin.dll Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\migration\WSearchMigPlugin.dll Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\oobe\cmisetup.dll Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\setup\RasMigPlugin.dll Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\Speech_OneCore\Common\sapi_onecore.dll Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\Speech_OneCore\Common\SpeechModelDownload.exe Handle ID: 0x84 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Provisioning\provpackageapi.dll Handle ID: 0x84 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\twain_32\wiatwain.ds Handle ID: 0x70 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WaaS\services\14a3f9e824793931d34f7f786a538bbc9ef1f0d6.xml Handle ID: 0x70 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WaaS\services\20bbcadaff3e0543ef358ba4dd8b74bfe8e747c8.xml Handle ID: 0x70 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WaaS\services\2213703c9c64cc61ba900531652e23c84728d2a2.xml Handle ID: 0x70 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WaaS\services\315818c03ccc2b10070df2d4ebd09eb6c4c66e58.xml Handle ID: 0x70 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  13568  2020-03-18 11:37:53    Microsoft-Windows-Security-Auditing  4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WaaS\services\ceb497ee0184aaa4681d2fb2ef242a5b8551eea8.xml Handle ID: 0x70 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Security  Audit Success  103  2020-03-18 11:38:01    Microsoft-Windows-Eventlog  1100: The event logging service has shut down.
Security  Audit Success  13312  2020-03-18 11:38:15    Microsoft-Windows-Security-Auditing  4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x78 New Process Name: ????-??6?4????0--?0??????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x4 Creator Process Name: ??????? Process Command Line: ????0--?0??????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
Security  Audit Success  13312  2020-03-18 11:38:15    Microsoft-Windows-Security-Auditing  4696: A primary token was assigned to process. Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Process Information: Process ID: 0x4 Process Name: ? Target Process: Target Process ID: 0x78 Target Process Name: Registry New Token Information: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x3e7
Security  Audit Success  13312  2020-03-18 11:38:15    Microsoft-Windows-Security-Auditing  4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1b4 New Process Name: ??????????????-??6?4????0--?0??????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x4 Creator Process Name: ??????? Process Command Line: ????0--?0??????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
Security  Audit Success  13573  2020-03-18 11:38:15    Microsoft-Windows-Security-Auditing  4826: Boot Configuration Data loaded. Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 General Settings: Load Options: - Advanced Options: %%1843 Configuration Access Policy: %%1846 System Event Logging: %%1843 Kernel Debugging: %%1843 VSM Launch Type: %%1848 Signature Settings: Test Signing: %%1843 Flight Signing: %%1843 Disable Integrity Checks: %%1843 HyperVisor Settings: HyperVisor Load Options: - HyperVisor Launch Type: %%1848 HyperVisor Debugging: %%1843
Security  Audit Success  13312  2020-03-18 11:38:16    Microsoft-Windows-Security-Auditing  4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1d0 New Process Name: ???????????????e??? ????????? ???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1b4 Creator Process Name: ????????????????????4 Process Command Line: ????0--?0????????????????????4 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
Security  Audit Success  13312  2020-03-18 11:38:16    Microsoft-Windows-Security-Auditing  4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x248 New Process Name: ??????????????-??6??4????0--?0????????????????????4? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1b4 Creator Process Name: ????????????????????4? Process Command Line: ????0--?0????????????????????4? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
Security  Audit Success  13312  2020-03-18 11:38:21    Microsoft-Windows-Security-Auditing  4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x284 New Process Name: ??????????????e??? ????????? ???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x248 Creator Process Name: ????????????????????4 Process Command Line: ????0--?0????????????????????4 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
Security  Audit Success  12288  2020-03-18 11:38:22    Microsoft-Windows-Security-Auditing  4608: Windows is starting up. This event is logged when LSASS.EXE starts and the auditing subsystem is initialized.
Security  Audit Success  12544  2020-03-18 11:38:22    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 0 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: - New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4 Process Name: ? Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: - Authentication Package: - Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:38:22    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:38:22    Microsoft-Windows-Security-Auditing  4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: UMFD-0 Account Domain: Font Driver Host Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x2dc Process Name: C:\Windows\System32\wininit.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
Security  Audit Success  12544  2020-03-18 11:38:22    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1842 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-96-0-0 Account Name: UMFD-0 Account Domain: Font Driver Host Logon ID: 0x10770 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2dc Process Name: C:\Windows\System32\wininit.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:38:22    Microsoft-Windows-Security-Auditing  4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: UMFD-1 Account Domain: Font Driver Host Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x37c Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
Security  Audit Success  12544  2020-03-18 11:38:22    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1842 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-96-0-1 Account Name: UMFD-1 Account Domain: Font Driver Host Logon ID: 0x107b8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x37c Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:38:22    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:38:22    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:38:22    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:38:22    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:38:22    Microsoft-Windows-Security-Auditing  4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DWM-1 Account Domain: Window Manager Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x37c Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
Security  Audit Success  12544  2020-03-18 11:38:22    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1842 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x17b53 Linked Logon ID: 0x17b93 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x37c Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:38:22    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1842 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x17b93 Linked Logon ID: 0x17b53 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x37c Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:38:22    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:38:22    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:38:22    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:38:22    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:38:22    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:38:22    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:38:22    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:38:22    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:38:22    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 11:38:22    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 11:38:22    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 11:38:22    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 11:38:22    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e4 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 11:38:22    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 11:38:22    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x17b53 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 11:38:22    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x17b93 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege
Security  Audit Success  12548  2020-03-18 11:38:22    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 11:38:22    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 11:38:22    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 11:38:22    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 11:38:22    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 11:38:22    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 11:38:22    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 11:38:22    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 11:38:22    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  13312  2020-03-18 11:38:22    Microsoft-Windows-Security-Auditing  4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2d4 New Process Name: ??????????????-??6??4????0--?0????????????????????4? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1b4 Creator Process Name: ????????????????????4? Process Command Line: ????0--?0????????????????????4? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
Security  Audit Success  13312  2020-03-18 11:38:22    Microsoft-Windows-Security-Auditing  4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2dc New Process Name: ???????????????e??? ????????? ???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x248 Creator Process Name: ????????????????????4 Process Command Line: ????0--?0????????????????????4 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
Security  Audit Success  13312  2020-03-18 11:38:22    Microsoft-Windows-Security-Auditing  4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2e4 New Process Name: ??????????????e??? ????????? ???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x2d4 Creator Process Name: ????????????????????4 Process Command Line: ????0--?0????????????????????4 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
Security  Audit Success  13312  2020-03-18 11:38:22    Microsoft-Windows-Security-Auditing  4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x324 New Process Name: ????????????????-??6??c????0--?0???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x2dc Creator Process Name: ???????????????e?????? Process Command Line: ????0--?0???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
Security  Audit Success  13312  2020-03-18 11:38:22    Microsoft-Windows-Security-Auditing  4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x32c New Process Name: ??????????????e??? ????????? ???????????????????????4? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x2dc Creator Process Name: ???????????????e?????? Process Command Line: ????0--?0???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
Security  Audit Success  13568  2020-03-18 11:38:22    Microsoft-Windows-Security-Auditing  4902: The Per-user audit policy table was created. Number of Elements: 0 Policy ID: 0x10448
Security  Audit Success  12292  2020-03-18 11:38:23    Microsoft-Windows-Security-Auditing  5033: The Windows Firewall Driver started successfully.
Security  Audit Success  12292  2020-03-18 11:38:23    Microsoft-Windows-Security-Auditing  5024: The Windows Firewall service started successfully.
Security  Audit Success  12544  2020-03-18 11:38:23    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:38:23    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:38:23    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:38:23    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:38:23    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:38:23    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:38:23    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:38:23    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:38:23    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:38:23    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:38:23    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:38:23    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:38:23    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:38:23    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:38:23    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 11:38:23    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 11:38:23    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 11:38:23    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 11:38:23    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 11:38:23    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 11:38:23    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 11:38:23    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 11:38:23    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 11:38:23    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 11:38:23    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 11:38:23    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 11:38:23    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 11:38:23    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 11:38:23    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 11:38:23    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  13826  2020-03-18 11:38:23    Microsoft-Windows-Security-Auditing  4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-20 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e4 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0xe74 Process Name: C:\Windows\System32\svchost.exe
Security  Audit Success  13826  2020-03-18 11:38:23    Microsoft-Windows-Security-Auditing  4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0xe48 Process Name: C:\Windows\System32\svchost.exe
Security  Audit Success  12544  2020-03-18 11:38:26    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 11:38:26    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12290  2020-03-18 11:39:18    Microsoft-Windows-Security-Auditing  5061: Cryptographic operation. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x8f6aa Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: %%2500 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
Security  Audit Success  12290  2020-03-18 11:39:18    Microsoft-Windows-Security-Auditing  5061: Cryptographic operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: %%2500 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
Security  Audit Success  12292  2020-03-18 11:39:18    Microsoft-Windows-Security-Auditing  5058: Key file operation. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x8f6aa Process Information: Process ID: 496 Process Creation Time: 2020-03-18T03:39:18.532536500Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: Microsoft Connected Devices Platform device certificate Key Type: %%2500 Key File Operation Information: File Path: C:\Users\redblue\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_7fbcc963-8e43-4455-80cd-825694131a80 Operation: %%2458 Return Code: 0x0
Security  Audit Success  12292  2020-03-18 11:39:18    Microsoft-Windows-Security-Auditing  5059: Key migration operation. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x8f6aa Process Information: Process ID: 496 Process Creation Time: 2020-03-18T03:39:18.532536500Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: %%2500 Additional Information: Operation: %%2464 Return Code: 0x0
Security  Audit Success  12292  2020-03-18 11:39:18    Microsoft-Windows-Security-Auditing  5058: Key file operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Process Information: Process ID: 6428 Process Creation Time: 2020-03-18T03:39:18.715965900Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: Microsoft Connected Devices Platform device certificate Key Type: %%2500 Key File Operation Information: File Path: C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_7fbcc963-8e43-4455-80cd-825694131a80 Operation: %%2458 Return Code: 0x0
Security  Audit Success  12292  2020-03-18 11:39:18    Microsoft-Windows-Security-Auditing  5059: Key migration operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Process Information: Process ID: 6428 Process Creation Time: 2020-03-18T03:39:18.715965900Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: %%2500 Additional Information: Operation: %%2464 Return Code: 0x0
Security  Audit Success  12544  2020-03-18 11:39:18    Microsoft-Windows-Security-Auditing  4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa10 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: 127.0.0.1 Port: 0 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
Security  Audit Success  12544  2020-03-18 11:39:18    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x8f668 Linked Logon ID: 0x8f6aa Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa10 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: DESKTOP-UT5JEJD Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:39:18    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x8f6aa Linked Logon ID: 0x8f668 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa10 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: DESKTOP-UT5JEJD Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:39:18    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 11:39:18    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x8f668 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 11:39:18    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  13824  2020-03-18 11:39:18    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x510 Process Name: C:\Windows\System32\LogonUI.exe
Security  Audit Success  13826  2020-03-18 11:39:18    Microsoft-Windows-Security-Auditing  4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x7f0 Process Name: C:\Windows\System32\svchost.exe
Security  Audit Success  12544  2020-03-18 11:39:19    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 11:39:19    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12544  2020-03-18 11:39:20    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 11:39:20    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  13826  2020-03-18 11:39:20    Microsoft-Windows-Security-Auditing  4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x1f94 Process Name: C:\Windows\System32\SearchIndexer.exe
Security  Audit Success  13824  2020-03-18 11:39:28    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1450 Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe
Security  Audit Success  13824  2020-03-18 11:39:28    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1450 Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe
Security  Audit Success  12290  2020-03-18 11:39:31    Microsoft-Windows-Security-Auditing  5061: Cryptographic operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: {9958B427-41A6-494A-83E0-B395A2CFCE0B} Key Type: %%2500 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
Security  Audit Success  12292  2020-03-18 11:39:31    Microsoft-Windows-Security-Auditing  5058: Key file operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Process Information: Process ID: 2508 Process Creation Time: 2020-03-18T03:39:19.236545400Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: {9958B427-41A6-494A-83E0-B395A2CFCE0B} Key Type: %%2500 Key File Operation Information: File Path: C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\e616b71df416cc5b9b621e575917310d_7fbcc963-8e43-4455-80cd-825694131a80 Operation: %%2458 Return Code: 0x0
Security  Audit Success  12544  2020-03-18 11:39:31    Microsoft-Windows-Security-Auditing  4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa10 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: 127.0.0.1 Port: 0 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
Security  Audit Success  12544  2020-03-18 11:39:31    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xfba67 Linked Logon ID: 0xfba8c Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa10 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: DESKTOP-UT5JEJD Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:39:31    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xfba8c Linked Logon ID: 0xfba67 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa10 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: DESKTOP-UT5JEJD Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:39:31    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12545  2020-03-18 11:39:31    Microsoft-Windows-Security-Auditing  4634: An account was logged off. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xfba8c Logon Type: 2 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
Security  Audit Success  12545  2020-03-18 11:39:31    Microsoft-Windows-Security-Auditing  4634: An account was logged off. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xfba67 Logon Type: 2 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
Security  Audit Success  12548  2020-03-18 11:39:31    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xfba67 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 11:39:31    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  13824  2020-03-18 11:39:31    Microsoft-Windows-Security-Auditing  5382: Vault credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 This event occurs when a user reads a stored vault credential.
Security  Audit Success  12544  2020-03-18 11:39:32    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 11:39:32    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  13824  2020-03-18 11:39:32    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x8f6aa Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 11:39:32    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x8f6aa Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 11:39:32    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 11:39:32    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 11:39:32    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 11:39:32    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x8f6aa Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 11:39:32    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x8f6aa Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 11:39:32    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x8f6aa Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 11:39:33    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x8f6aa Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 11:39:34    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x8f6aa Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 11:39:41    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1450 Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe
Security  Audit Success  13824  2020-03-18 11:39:41    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1450 Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe
Security  Audit Success  13824  2020-03-18 11:39:44    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x8f6aa User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x26d8 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
Security  Audit Success  13824  2020-03-18 11:39:44    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x8f6aa User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x26d8 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
Security  Audit Success  13824  2020-03-18 11:39:44    Microsoft-Windows-Security-Auditing  4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x8f6aa Additional Information: Caller Workstation: DESKTOP-UT5JEJD Target Account Name: Administrator Target Account Domain: DESKTOP-UT5JEJD
Security  Audit Success  13824  2020-03-18 11:39:44    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x8f6aa User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x26d8 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
Security  Audit Success  13824  2020-03-18 11:39:44    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x8f6aa User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x26d8 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
Security  Audit Success  13824  2020-03-18 11:39:44    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x8f6aa User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x26d8 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
Security  Audit Success  13824  2020-03-18 11:39:44    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x8f6aa User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x26d8 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
Security  Audit Success  12544  2020-03-18 11:39:56    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:39:56    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 11:39:56    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 11:39:56    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12544  2020-03-18 11:39:58    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 11:39:58    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12544  2020-03-18 11:40:04    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 11:40:04    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12544  2020-03-18 11:40:11    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 11:40:11    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12544  2020-03-18 11:40:12    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 11:40:12    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12544  2020-03-18 11:40:20    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 11:40:20    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12544  2020-03-18 11:40:23    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 11:40:23    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12544  2020-03-18 11:40:27    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 11:40:27    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  13826  2020-03-18 11:40:27    Microsoft-Windows-Security-Auditing  4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x17fc Process Name: C:\Windows\System32\svchost.exe
Security  Audit Success  13824  2020-03-18 11:40:38    Microsoft-Windows-Security-Auditing  4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x8f6aa Additional Information: Caller Workstation: DESKTOP-UT5JEJD Target Account Name: Administrator Target Account Domain: DESKTOP-UT5JEJD
Security  Audit Success  13824  2020-03-18 11:40:38    Microsoft-Windows-Security-Auditing  4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x8f6aa Additional Information: Caller Workstation: DESKTOP-UT5JEJD Target Account Name: DefaultAccount Target Account Domain: DESKTOP-UT5JEJD
Security  Audit Success  13824  2020-03-18 11:40:38    Microsoft-Windows-Security-Auditing  4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x8f6aa Additional Information: Caller Workstation: DESKTOP-UT5JEJD Target Account Name: Guest Target Account Domain: DESKTOP-UT5JEJD
Security  Audit Success  13824  2020-03-18 11:40:38    Microsoft-Windows-Security-Auditing  4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x8f6aa Additional Information: Caller Workstation: DESKTOP-UT5JEJD Target Account Name: WDAGUtilityAccount Target Account Domain: DESKTOP-UT5JEJD
Security  Audit Success  13824  2020-03-18 11:40:52    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x8f6aa User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x28f4 Process Name: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
Security  Audit Success  12544  2020-03-18 11:41:08    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 11:41:08    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12544  2020-03-18 11:41:09    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 11:41:09    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12544  2020-03-18 11:41:10    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 11:41:10    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12544  2020-03-18 11:42:22    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 11:42:22    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12544  2020-03-18 11:45:09    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 11:45:09    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12544  2020-03-18 11:45:13    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 11:45:13    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12544  2020-03-18 11:45:17    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 11:45:17    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12544  2020-03-18 11:45:36    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 11:45:36    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  13824  2020-03-18 11:45:36    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x8f6aa User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1e38 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
Security  Audit Success  13824  2020-03-18 11:45:36    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x8f6aa User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1e38 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
Security  Audit Success  13824  2020-03-18 11:45:36    Microsoft-Windows-Security-Auditing  4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x8f6aa Additional Information: Caller Workstation: DESKTOP-UT5JEJD Target Account Name: Administrator Target Account Domain: DESKTOP-UT5JEJD
Security  Audit Success  13824  2020-03-18 11:45:36    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x8f6aa User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1e38 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
Security  Audit Success  13824  2020-03-18 11:45:36    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x8f6aa User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1e38 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
Security  Audit Success  13824  2020-03-18 11:45:36    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x8f6aa User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1e38 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
Security  Audit Success  13824  2020-03-18 11:45:36    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x8f6aa User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1e38 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
Security  Audit Success  13824  2020-03-18 11:45:36    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 11:45:36    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 11:45:36    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 11:45:36    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x8f6aa Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 11:45:36    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x8f6aa Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 11:45:36    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x8f6aa Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 11:46:46    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x8f6aa User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x384 Process Name: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
Security  Audit Success  12544  2020-03-18 11:50:26    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 11:50:26    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12544  2020-03-18 11:51:27    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 11:51:27    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12544  2020-03-18 11:52:04    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 11:52:04    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  13824  2020-03-18 11:52:04    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 11:52:04    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 11:52:04    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 11:52:04    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x8f6aa Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 11:52:04    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x8f6aa Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 11:52:04    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x8f6aa Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 11:53:27    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x8f6aa User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1d60 Process Name: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
Security  Audit Success  12544  2020-03-18 11:54:19    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 11:54:19    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12544  2020-03-18 11:56:22    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 11:56:22    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12544  2020-03-18 11:56:26    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12545  2020-03-18 11:56:26    Microsoft-Windows-Security-Auditing  4647: User initiated logoff: Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x8f6aa This event is generated when a logoff is initiated. No further user-initiated activity can occur. This event can be interpreted as a logoff event.
Security  Audit Success  12548  2020-03-18 11:56:26    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  13824  2020-03-18 11:56:26    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-500 Account Name: Administrator Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0xa10 Process Name: C:\Windows\System32\svchost.exe
Security  Audit Success  13824  2020-03-18 11:56:26    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-503 Account Name: DefaultAccount Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0xa10 Process Name: C:\Windows\System32\svchost.exe
Security  Audit Success  13824  2020-03-18 11:56:26    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0xa10 Process Name: C:\Windows\System32\svchost.exe
Security  Audit Success  13824  2020-03-18 11:56:26    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0xa10 Process Name: C:\Windows\System32\svchost.exe
Security  Audit Success  13824  2020-03-18 11:56:26    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-504 Account Name: WDAGUtilityAccount Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0xa10 Process Name: C:\Windows\System32\svchost.exe
Security  Audit Success  12544  2020-03-18 11:56:28    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:56:28    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 11:56:28    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 11:56:28    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  13826  2020-03-18 11:56:28    Microsoft-Windows-Security-Auditing  4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x290c Process Name: C:\Windows\System32\VSSVC.exe
Security  Audit Success  13826  2020-03-18 11:56:28    Microsoft-Windows-Security-Auditing  4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x290c Process Name: C:\Windows\System32\VSSVC.exe
Security  Audit Success  13826  2020-03-18 11:56:28    Microsoft-Windows-Security-Auditing  4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x290c Process Name: C:\Windows\System32\VSSVC.exe
Security  Audit Success  13826  2020-03-18 11:56:28    Microsoft-Windows-Security-Auditing  4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x290c Process Name: C:\Windows\System32\VSSVC.exe
Security  Audit Success  103  2020-03-18 11:56:29    Microsoft-Windows-Eventlog  1100: The event logging service has shut down.
Security  Audit Success  13312  2020-03-18 11:56:43    Microsoft-Windows-Security-Auditing  4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x78 New Process Name: ????-??6?4????0--?0??????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x4 Creator Process Name: ??????? Process Command Line: ????0--?0??????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
Security  Audit Success  13312  2020-03-18 11:56:43    Microsoft-Windows-Security-Auditing  4696: A primary token was assigned to process. Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Process Information: Process ID: 0x4 Process Name: ? Target Process: Target Process ID: 0x78 Target Process Name: Registry New Token Information: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x3e7
Security  Audit Success  13312  2020-03-18 11:56:43    Microsoft-Windows-Security-Auditing  4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1b0 New Process Name: ??????????????-??6?4????0--?0??????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x4 Creator Process Name: ??????? Process Command Line: ????0--?0??????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
Security  Audit Success  13312  2020-03-18 11:56:43    Microsoft-Windows-Security-Auditing  4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1dc New Process Name: ???????????????e??? ????????? ???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1b0 Creator Process Name: ????????????????????4 Process Command Line: ????0--?0????????????????????4 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
Security  Audit Success  13573  2020-03-18 11:56:43    Microsoft-Windows-Security-Auditing  4826: Boot Configuration Data loaded. Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 General Settings: Load Options: - Advanced Options: %%1843 Configuration Access Policy: %%1846 System Event Logging: %%1843 Kernel Debugging: %%1843 VSM Launch Type: %%1848 Signature Settings: Test Signing: %%1843 Flight Signing: %%1843 Disable Integrity Checks: %%1843 HyperVisor Settings: HyperVisor Load Options: - HyperVisor Launch Type: %%1848 HyperVisor Debugging: %%1843
Security  Audit Success  13312  2020-03-18 11:56:44    Microsoft-Windows-Security-Auditing  4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x248 New Process Name: ??????????????-??6??0????0--?0????????????????????4? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1b0 Creator Process Name: ????????????????????4? Process Command Line: ????0--?0????????????????????4? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
Security  Audit Success  12288  2020-03-18 11:56:49    Microsoft-Windows-Security-Auditing  4608: Windows is starting up. This event is logged when LSASS.EXE starts and the auditing subsystem is initialized.
Security  Audit Success  12544  2020-03-18 11:56:49    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 0 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: - New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4 Process Name: ? Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: - Authentication Package: - Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:56:49    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:56:49    Microsoft-Windows-Security-Auditing  4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: UMFD-0 Account Domain: Font Driver Host Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x2d8 Process Name: C:\Windows\System32\wininit.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
Security  Audit Success  12544  2020-03-18 11:56:49    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1842 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-96-0-0 Account Name: UMFD-0 Account Domain: Font Driver Host Logon ID: 0x106a6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2d8 Process Name: C:\Windows\System32\wininit.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:56:49    Microsoft-Windows-Security-Auditing  4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: UMFD-1 Account Domain: Font Driver Host Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x378 Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
Security  Audit Success  12544  2020-03-18 11:56:49    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1842 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-96-0-1 Account Name: UMFD-1 Account Domain: Font Driver Host Logon ID: 0x106f8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x378 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 11:56:49    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  13312  2020-03-18 11:56:49    Microsoft-Windows-Security-Auditing  4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x280 New Process Name: ??????????????e??? ????????? ???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x248 Creator Process Name: ????????????????????4 Process Command Line: ????0--?0????????????????????4 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
Security  Audit Success  13312  2020-03-18 11:56:49    Microsoft-Windows-Security-Auditing  4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2d0 New Process Name: ??????????????-??6??0????0--?0????????????????????4? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1b0 Creator Process Name: ????????????????????4? Process Command Line: ????0--?0????????????????????4? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
Security  Audit Success  13312  2020-03-18 11:56:49    Microsoft-Windows-Security-Auditing  4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2d8 New Process Name: ???????????????e??? ????????? ???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x248 Creator Process Name: ????????????????????4 Process Command Line: ????0--?0????????????????????4 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
Security  Audit Success  13312  2020-03-18 11:56:49    Microsoft-Windows-Security-Auditing  4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2e4 New Process Name: ??????????????e??? ????????? ???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x2d0 Creator Process Name: ????????????????????4 Process Command Line: ????0--?0????????????????????4 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
Security  Audit Success  13312  2020-03-18 11:56:49    Microsoft-Windows-Security-Auditing  4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x320 New Process Name: ????????????????-??6??8????0--?0???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x2d8 Creator Process Name: ???????????????e?????? Process Command Line: ????0--?0???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
Security  Audit Success  13312  2020-03-18 11:56:49    Microsoft-Windows-Security-Auditing  4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x328 New Process Name: ??????????????e??? ????????? ???????????????????????4? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x2d8 Creator Process Name: ???????????????e?????? Process Command Line: ????0--?0???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
Security  Audit Success  13568  2020-03-18 11:56:49    Microsoft-Windows-Security-Auditing  4902: The Per-user audit policy table was created. Number of Elements: 0 Policy ID: 0x10348
Security  Audit Success  12292  2020-03-18 11:56:50    Microsoft-Windows-Security-Auditing  5033: The Windows Firewall Driver started successfully.
Security  Audit Success  12544  2020-03-18 11:56:50    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:56:50    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:56:50    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:56:50    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:56:50    Microsoft-Windows-Security-Auditing  4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DWM-1 Account Domain: Window Manager Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x378 Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
Security  Audit Success  12544  2020-03-18 11:56:50    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1842 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x17c4b Linked Logon ID: 0x17c8c Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x378 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:56:50    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1842 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x17c8c Linked Logon ID: 0x17c4b Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x378 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:56:50    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:56:50    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:56:50    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:56:50    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:56:50    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:56:50    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:56:50    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:56:50    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:56:50    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:56:50    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:56:50    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:56:50    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:56:50    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:56:50    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:56:50    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:56:50    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:56:50    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:56:50    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:56:50    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:56:50    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:56:50    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:56:50    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:56:50    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 11:56:50    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 11:56:50    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 11:56:50    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e4 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 11:56:50    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 11:56:50    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x17c4b Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 11:56:50    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x17c8c Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege
Security  Audit Success  12548  2020-03-18 11:56:50    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 11:56:50    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 11:56:50    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 11:56:50    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 11:56:50    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 11:56:50    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 11:56:50    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 11:56:50    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 11:56:50    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 11:56:50    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 11:56:50    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 11:56:50    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 11:56:50    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 11:56:50    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 11:56:50    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 11:56:50    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 11:56:50    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 11:56:50    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 11:56:50    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 11:56:50    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 11:56:50    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 11:56:50    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 11:56:50    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12292  2020-03-18 11:56:51    Microsoft-Windows-Security-Auditing  5024: The Windows Firewall service started successfully.
Security  Audit Success  12544  2020-03-18 11:56:51    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 11:56:51    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  13826  2020-03-18 11:56:51    Microsoft-Windows-Security-Auditing  4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-20 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e4 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0xe30 Process Name: C:\Windows\System32\svchost.exe
Security  Audit Success  13826  2020-03-18 11:56:51    Microsoft-Windows-Security-Auditing  4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0xecc Process Name: C:\Windows\System32\svchost.exe
Security  Audit Success  12544  2020-03-18 11:56:53    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 11:56:53    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  103  2020-03-18 11:57:36    Microsoft-Windows-Eventlog  1100: The event logging service has shut down.
Security  Audit Success  13312  2020-03-18 11:57:49    Microsoft-Windows-Security-Auditing  4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x78 New Process Name: ????-??6?4????0--?0??????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x4 Creator Process Name: ??????? Process Command Line: ????0--?0??????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
Security  Audit Success  13312  2020-03-18 11:57:49    Microsoft-Windows-Security-Auditing  4696: A primary token was assigned to process. Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Process Information: Process ID: 0x4 Process Name: ? Target Process: Target Process ID: 0x78 Target Process Name: Registry New Token Information: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x3e7
Security  Audit Success  13312  2020-03-18 11:57:49    Microsoft-Windows-Security-Auditing  4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1b0 New Process Name: ??????????????-??6?4????0--?0??????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x4 Creator Process Name: ??????? Process Command Line: ????0--?0??????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
Security  Audit Success  13573  2020-03-18 11:57:49    Microsoft-Windows-Security-Auditing  4826: Boot Configuration Data loaded. Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 General Settings: Load Options: - Advanced Options: %%1843 Configuration Access Policy: %%1846 System Event Logging: %%1843 Kernel Debugging: %%1843 VSM Launch Type: %%1848 Signature Settings: Test Signing: %%1843 Flight Signing: %%1843 Disable Integrity Checks: %%1843 HyperVisor Settings: HyperVisor Load Options: - HyperVisor Launch Type: %%1848 HyperVisor Debugging: %%1843
Security  Audit Success  13312  2020-03-18 11:57:50    Microsoft-Windows-Security-Auditing  4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1d4 New Process Name: ???????????????e??? ????????? ???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1b0 Creator Process Name: ????????????????????4 Process Command Line: ????0--?0????????????????????4 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
Security  Audit Success  13312  2020-03-18 11:57:50    Microsoft-Windows-Security-Auditing  4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x240 New Process Name: ??????????????-??6??0????0--?0????????????????????4? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1b0 Creator Process Name: ????????????????????4? Process Command Line: ????0--?0????????????????????4? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
Security  Audit Success  13312  2020-03-18 11:57:55    Microsoft-Windows-Security-Auditing  4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x274 New Process Name: ??????????????e??? ????????? ???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x240 Creator Process Name: ????????????????????4 Process Command Line: ????0--?0????????????????????4 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
Security  Audit Success  12288  2020-03-18 11:57:56    Microsoft-Windows-Security-Auditing  4608: Windows is starting up. This event is logged when LSASS.EXE starts and the auditing subsystem is initialized.
Security  Audit Success  12292  2020-03-18 11:57:56    Microsoft-Windows-Security-Auditing  5033: The Windows Firewall Driver started successfully.
Security  Audit Success  12544  2020-03-18 11:57:56    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 0 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: - New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4 Process Name: ? Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: - Authentication Package: - Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:57:56    Microsoft-Windows-Security-Auditing  4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: UMFD-0 Account Domain: Font Driver Host Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x2cc Process Name: C:\Windows\System32\wininit.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
Security  Audit Success  12544  2020-03-18 11:57:56    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:57:56    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1842 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-96-0-0 Account Name: UMFD-0 Account Domain: Font Driver Host Logon ID: 0x104a2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2cc Process Name: C:\Windows\System32\wininit.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:57:56    Microsoft-Windows-Security-Auditing  4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: UMFD-1 Account Domain: Font Driver Host Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x36c Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
Security  Audit Success  12544  2020-03-18 11:57:56    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1842 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-96-0-1 Account Name: UMFD-1 Account Domain: Font Driver Host Logon ID: 0x107e3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x36c Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:57:56    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:57:56    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:57:56    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:57:56    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:57:56    Microsoft-Windows-Security-Auditing  4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DWM-1 Account Domain: Window Manager Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x36c Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
Security  Audit Success  12544  2020-03-18 11:57:56    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1842 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x183b5 Linked Logon ID: 0x18408 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x36c Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:57:56    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1842 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x18408 Linked Logon ID: 0x183b5 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x36c Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:57:56    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:57:56    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:57:56    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:57:56    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:57:56    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:57:56    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:57:56    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:57:56    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:57:56    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:57:56    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:57:56    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:57:56    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:57:56    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:57:56    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:57:56    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:57:56    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:57:56    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:57:56    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:57:56    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 11:57:56    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 11:57:56    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 11:57:56    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 11:57:56    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e4 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 11:57:56    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 11:57:56    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x183b5 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 11:57:56    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x18408 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege
Security  Audit Success  12548  2020-03-18 11:57:56    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 11:57:56    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 11:57:56    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 11:57:56    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 11:57:56    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 11:57:56    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 11:57:56    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 11:57:56    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 11:57:56    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 11:57:56    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 11:57:56    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 11:57:56    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 11:57:56    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 11:57:56    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 11:57:56    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 11:57:56    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 11:57:56    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 11:57:56    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 11:57:56    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  13312  2020-03-18 11:57:56    Microsoft-Windows-Security-Auditing  4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2c4 New Process Name: ??????????????-??6??0????0--?0????????????????????4? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1b0 Creator Process Name: ????????????????????4? Process Command Line: ????0--?0????????????????????4? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
Security  Audit Success  13312  2020-03-18 11:57:56    Microsoft-Windows-Security-Auditing  4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2cc New Process Name: ???????????????e??? ????????? ???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x240 Creator Process Name: ????????????????????4 Process Command Line: ????0--?0????????????????????4 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
Security  Audit Success  13312  2020-03-18 11:57:56    Microsoft-Windows-Security-Auditing  4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2d8 New Process Name: ??????????????e??? ????????? ???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x2c4 Creator Process Name: ????????????????????4 Process Command Line: ????0--?0????????????????????4 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
Security  Audit Success  13312  2020-03-18 11:57:56    Microsoft-Windows-Security-Auditing  4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x314 New Process Name: ????????????????-??6??c????0--?0???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x2cc Creator Process Name: ???????????????e?????? Process Command Line: ????0--?0???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
Security  Audit Success  13312  2020-03-18 11:57:56    Microsoft-Windows-Security-Auditing  4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x31c New Process Name: ??????????????e??? ????????? ???????????????????????4? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x2cc Creator Process Name: ???????????????e?????? Process Command Line: ????0--?0???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
Security  Audit Success  13568  2020-03-18 11:57:56    Microsoft-Windows-Security-Auditing  4902: The Per-user audit policy table was created. Number of Elements: 0 Policy ID: 0x102ae
Security  Audit Success  12292  2020-03-18 11:57:57    Microsoft-Windows-Security-Auditing  5024: The Windows Firewall service started successfully.
Security  Audit Success  12544  2020-03-18 11:57:57    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:57:57    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:57:57    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:57:57    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:57:57    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 11:57:57    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 11:57:57    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 11:57:57    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 11:57:57    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 11:57:57    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  13826  2020-03-18 11:57:57    Microsoft-Windows-Security-Auditing  4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-20 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e4 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0xe48 Process Name: C:\Windows\System32\svchost.exe
Security  Audit Success  13826  2020-03-18 11:57:57    Microsoft-Windows-Security-Auditing  4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0xf44 Process Name: C:\Windows\System32\svchost.exe
Security  Audit Success  12544  2020-03-18 11:58:00    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 11:58:00    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12544  2020-03-18 11:58:42    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 11:58:42    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  13824  2020-03-18 11:58:42    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x504 Process Name: C:\Windows\System32\LogonUI.exe
Security  Audit Success  12290  2020-03-18 11:58:45    Microsoft-Windows-Security-Auditing  5061: Cryptographic operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: {9958B427-41A6-494A-83E0-B395A2CFCE0B} Key Type: %%2500 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
Security  Audit Success  12290  2020-03-18 11:58:45    Microsoft-Windows-Security-Auditing  5061: Cryptographic operation. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x5defe Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: %%2500 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
Security  Audit Success  12290  2020-03-18 11:58:45    Microsoft-Windows-Security-Auditing  5061: Cryptographic operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: %%2500 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
Security  Audit Success  12292  2020-03-18 11:58:45    Microsoft-Windows-Security-Auditing  5058: Key file operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Process Information: Process ID: 6856 Process Creation Time: 2020-03-18T03:58:42.397918200Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: {9958B427-41A6-494A-83E0-B395A2CFCE0B} Key Type: %%2500 Key File Operation Information: File Path: C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\e616b71df416cc5b9b621e575917310d_7fbcc963-8e43-4455-80cd-825694131a80 Operation: %%2458 Return Code: 0x0
Security  Audit Success  12292  2020-03-18 11:58:45    Microsoft-Windows-Security-Auditing  5058: Key file operation. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x5defe Process Information: Process ID: 2216 Process Creation Time: 2020-03-18T03:58:45.384541600Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: Microsoft Connected Devices Platform device certificate Key Type: %%2500 Key File Operation Information: File Path: C:\Users\redblue\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_7fbcc963-8e43-4455-80cd-825694131a80 Operation: %%2458 Return Code: 0x0
Security  Audit Success  12292  2020-03-18 11:58:45    Microsoft-Windows-Security-Auditing  5059: Key migration operation. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x5defe Process Information: Process ID: 2216 Process Creation Time: 2020-03-18T03:58:45.384541600Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: %%2500 Additional Information: Operation: %%2464 Return Code: 0x0
Security  Audit Success  12292  2020-03-18 11:58:45    Microsoft-Windows-Security-Auditing  5058: Key file operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Process Information: Process ID: 1688 Process Creation Time: 2020-03-18T03:58:45.528329800Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: Microsoft Connected Devices Platform device certificate Key Type: %%2500 Key File Operation Information: File Path: C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_7fbcc963-8e43-4455-80cd-825694131a80 Operation: %%2458 Return Code: 0x0
Security  Audit Success  12292  2020-03-18 11:58:45    Microsoft-Windows-Security-Auditing  5059: Key migration operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Process Information: Process ID: 1688 Process Creation Time: 2020-03-18T03:58:45.528329800Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: %%2500 Additional Information: Operation: %%2464 Return Code: 0x0
Security  Audit Success  12544  2020-03-18 11:58:45    Microsoft-Windows-Security-Auditing  4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xad4 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: 127.0.0.1 Port: 0 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
Security  Audit Success  12544  2020-03-18 11:58:45    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x5dec7 Linked Logon ID: 0x5defe Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xad4 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: DESKTOP-UT5JEJD Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:58:45    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x5defe Linked Logon ID: 0x5dec7 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xad4 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: DESKTOP-UT5JEJD Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:58:45    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 11:58:45    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x5dec7 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 11:58:45    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  13824  2020-03-18 11:58:45    Microsoft-Windows-Security-Auditing  5382: Vault credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 This event occurs when a user reads a stored vault credential.
Security  Audit Success  13826  2020-03-18 11:58:45    Microsoft-Windows-Security-Auditing  4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x830 Process Name: C:\Windows\System32\svchost.exe
Security  Audit Success  12544  2020-03-18 11:58:46    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 11:58:46    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  13826  2020-03-18 11:58:46    Microsoft-Windows-Security-Auditing  4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x1d18 Process Name: C:\Windows\System32\SearchIndexer.exe
Security  Audit Success  13824  2020-03-18 11:58:55    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x14f8 Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe
Security  Audit Success  13824  2020-03-18 11:58:55    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x14f8 Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe
Security  Audit Success  12544  2020-03-18 11:58:57    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 11:58:57    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12544  2020-03-18 11:58:58    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 11:58:58    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  13824  2020-03-18 11:58:58    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x5defe Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 11:58:58    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x5defe Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 11:58:58    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 11:58:58    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 11:58:58    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 11:58:58    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x5defe Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 11:58:58    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x5defe Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 11:58:58    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x5defe Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 11:58:59    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x5defe Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 11:59:00    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x5defe Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  12544  2020-03-18 11:59:02    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 11:59:02    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  13824  2020-03-18 11:59:06    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x5defe User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x2970 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
Security  Audit Success  13824  2020-03-18 11:59:06    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x5defe User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x2970 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
Security  Audit Success  13824  2020-03-18 11:59:06    Microsoft-Windows-Security-Auditing  4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x5defe Additional Information: Caller Workstation: DESKTOP-UT5JEJD Target Account Name: Administrator Target Account Domain: DESKTOP-UT5JEJD
Security  Audit Success  13824  2020-03-18 11:59:06    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x5defe User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x2970 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
Security  Audit Success  13824  2020-03-18 11:59:06    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x5defe User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x2970 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
Security  Audit Success  13824  2020-03-18 11:59:06    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x5defe User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x2970 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
Security  Audit Success  13824  2020-03-18 11:59:06    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x5defe User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x2970 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
Security  Audit Success  12544  2020-03-18 11:59:09    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:59:09    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 11:59:09    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 11:59:09    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 11:59:09    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 11:59:09    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12544  2020-03-18 11:59:10    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 11:59:10    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12544  2020-03-18 11:59:13    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 11:59:13    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12544  2020-03-18 11:59:15    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 11:59:15    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  13826  2020-03-18 11:59:15    Microsoft-Windows-Security-Auditing  4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x2c4c Process Name: C:\Windows\System32\svchost.exe
Security  Audit Success  12544  2020-03-18 11:59:45    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 11:59:45    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12544  2020-03-18 11:59:47    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 11:59:47    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12544  2020-03-18 11:59:52    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 11:59:52    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12544  2020-03-18 11:59:54    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 11:59:54    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12544  2020-03-18 12:00:42    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 12:00:42    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12544  2020-03-18 12:00:43    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 12:00:43    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 12:00:43    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 12:00:43    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12544  2020-03-18 12:04:56    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 12:04:56    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  13824  2020-03-18 12:05:34    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x5defe User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x978 Process Name: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
Security  Audit Success  12544  2020-03-18 12:09:51    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 12:09:51    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12544  2020-03-18 12:13:45    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 12:13:45    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12544  2020-03-18 12:14:52    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 12:14:52    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 12:14:52    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 12:14:52    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  13824  2020-03-18 12:14:52    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x25b8 Process Name: C:\Windows\System32\LogonUI.exe
Security  Audit Success  12544  2020-03-18 12:14:54    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 12:14:54    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  13826  2020-03-18 12:14:56    Microsoft-Windows-Security-Auditing  4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x24f4 Process Name: C:\Windows\System32\svchost.exe
Security  Audit Success  12544  2020-03-18 12:15:03    Microsoft-Windows-Security-Auditing  4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xad4 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: 127.0.0.1 Port: 0 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
Security  Audit Success  12544  2020-03-18 12:15:03    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x443d39 Linked Logon ID: 0x443d61 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xad4 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: DESKTOP-UT5JEJD Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 12:15:03    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x443d61 Linked Logon ID: 0x443d39 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xad4 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: DESKTOP-UT5JEJD Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12545  2020-03-18 12:15:03    Microsoft-Windows-Security-Auditing  4634: An account was logged off. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x443d61 Logon Type: 2 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
Security  Audit Success  12545  2020-03-18 12:15:03    Microsoft-Windows-Security-Auditing  4634: An account was logged off. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x443d39 Logon Type: 2 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
Security  Audit Success  12548  2020-03-18 12:15:03    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x443d39 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  13824  2020-03-18 12:15:03    Microsoft-Windows-Security-Auditing  5382: Vault credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 This event occurs when a user reads a stored vault credential.
Security  Audit Success  12544  2020-03-18 12:15:08    Microsoft-Windows-Security-Auditing  4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: UMFD-2 Account Domain: Font Driver Host Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x1d64 Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
Security  Audit Success  12544  2020-03-18 12:15:08    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1842 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-96-0-2 Account Name: UMFD-2 Account Domain: Font Driver Host Logon ID: 0x449c91 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d64 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 12:15:08    Microsoft-Windows-Security-Auditing  4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DWM-2 Account Domain: Window Manager Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x1d64 Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
Security  Audit Success  12544  2020-03-18 12:15:08    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1842 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-90-0-2 Account Name: DWM-2 Account Domain: Window Manager Logon ID: 0x44b081 Linked Logon ID: 0x44b0bb Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d64 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 12:15:08    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1842 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-90-0-2 Account Name: DWM-2 Account Domain: Window Manager Logon ID: 0x44b0bb Linked Logon ID: 0x44b081 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d64 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 12:15:08    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-2 Account Name: DWM-2 Account Domain: Window Manager Logon ID: 0x44b081 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
Security  Audit Success  12548  2020-03-18 12:15:08    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-2 Account Name: DWM-2 Account Domain: Window Manager Logon ID: 0x44b0bb Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege
Security  Audit Success  12545  2020-03-18 12:15:09    Microsoft-Windows-Security-Auditing  4647: User initiated logoff: Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x5defe This event is generated when a logoff is initiated. No further user-initiated activity can occur. This event can be interpreted as a logoff event.
Security  Audit Success  13824  2020-03-18 12:15:09    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-500 Account Name: Administrator Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0xad4 Process Name: C:\Windows\System32\svchost.exe
Security  Audit Success  13824  2020-03-18 12:15:09    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-503 Account Name: DefaultAccount Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0xad4 Process Name: C:\Windows\System32\svchost.exe
Security  Audit Success  13824  2020-03-18 12:15:09    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0xad4 Process Name: C:\Windows\System32\svchost.exe
Security  Audit Success  13824  2020-03-18 12:15:09    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0xad4 Process Name: C:\Windows\System32\svchost.exe
Security  Audit Success  13824  2020-03-18 12:15:09    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-504 Account Name: WDAGUtilityAccount Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0xad4 Process Name: C:\Windows\System32\svchost.exe
Security  Audit Success  12545  2020-03-18 12:15:10    Microsoft-Windows-Security-Auditing  4634: An account was logged off. Subject: Security ID: S-1-5-96-0-1 Account Name: UMFD-1 Account Domain: Font Driver Host Logon ID: 0x107e3 Logon Type: 2 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
Security  Audit Success  12545  2020-03-18 12:15:11    Microsoft-Windows-Security-Auditing  4634: An account was logged off. Subject: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x18408 Logon Type: 2 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
Security  Audit Success  12545  2020-03-18 12:15:11    Microsoft-Windows-Security-Auditing  4634: An account was logged off. Subject: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x183b5 Logon Type: 2 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
Security  Audit Success  13824  2020-03-18 12:15:11    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1e50 Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe
Security  Audit Success  13824  2020-03-18 12:15:11    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1e50 Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe
Security  Audit Success  12544  2020-03-18 12:15:12    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 12:15:12    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  12290  2020-03-18 13:10:37    Microsoft-Windows-Security-Auditing  5061: Cryptographic operation. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466656 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: %%2500 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
Security  Audit Success  12292  2020-03-18 13:10:37    Microsoft-Windows-Security-Auditing  5058: Key file operation. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466656 Process Information: Process ID: 8476 Process Creation Time: 2020-03-18T05:10:37.581408700Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: Microsoft Connected Devices Platform device certificate Key Type: %%2500 Key File Operation Information: File Path: C:\Users\redblue\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_7fbcc963-8e43-4455-80cd-825694131a80 Operation: %%2458 Return Code: 0x0
Security  Audit Success  12292  2020-03-18 13:10:37    Microsoft-Windows-Security-Auditing  5059: Key migration operation. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466656 Process Information: Process ID: 8476 Process Creation Time: 2020-03-18T05:10:37.581408700Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: %%2500 Additional Information: Operation: %%2464 Return Code: 0x0
Security  Audit Success  12544  2020-03-18 13:10:37    Microsoft-Windows-Security-Auditing  4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xad4 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: 127.0.0.1 Port: 0 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
Security  Audit Success  12544  2020-03-18 13:10:37    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466632 Linked Logon ID: 0x466656 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xad4 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: DESKTOP-UT5JEJD Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 13:10:37    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466656 Linked Logon ID: 0x466632 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xad4 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: DESKTOP-UT5JEJD Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 13:10:37    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466632 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  13826  2020-03-18 13:10:37    Microsoft-Windows-Security-Auditing  4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x830 Process Name: C:\Windows\System32\svchost.exe
Security  Audit Success  12544  2020-03-18 13:10:38    Microsoft-Windows-Security-Auditing  4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xad4 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: 127.0.0.1 Port: 0 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
Security  Audit Success  12544  2020-03-18 13:10:38    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x47a038 Linked Logon ID: 0x47a094 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xad4 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: DESKTOP-UT5JEJD Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12544  2020-03-18 13:10:38    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x47a094 Linked Logon ID: 0x47a038 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xad4 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: DESKTOP-UT5JEJD Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12545  2020-03-18 13:10:38    Microsoft-Windows-Security-Auditing  4634: An account was logged off. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x47a094 Logon Type: 2 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
Security  Audit Success  12545  2020-03-18 13:10:38    Microsoft-Windows-Security-Auditing  4634: An account was logged off. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x47a038 Logon Type: 2 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
Security  Audit Success  12548  2020-03-18 13:10:38    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x47a038 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  13824  2020-03-18 13:10:38    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x28b4 Process Name: C:\Windows\System32\LogonUI.exe
Security  Audit Success  13824  2020-03-18 13:10:38    Microsoft-Windows-Security-Auditing  5382: Vault credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 This event occurs when a user reads a stored vault credential.
Security  Audit Success  13824  2020-03-18 13:10:47    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1e50 Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe
Security  Audit Success  13824  2020-03-18 13:10:47    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1e50 Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe
Security  Audit Success  13824  2020-03-18 13:10:47    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1e50 Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe
Security  Audit Success  13824  2020-03-18 13:10:47    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1e50 Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe
Security  Audit Success  12544  2020-03-18 13:10:51    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 13:10:51    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  13824  2020-03-18 13:10:51    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466656 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 13:10:51    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466656 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 13:10:51    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 13:10:51    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 13:10:51    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 13:10:51    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466656 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 13:10:51    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466656 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 13:10:51    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466656 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 13:10:52    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466656 User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1654 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
Security  Audit Success  13824  2020-03-18 13:10:52    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466656 User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1654 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
Security  Audit Success  13824  2020-03-18 13:10:52    Microsoft-Windows-Security-Auditing  4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466656 Additional Information: Caller Workstation: DESKTOP-UT5JEJD Target Account Name: Administrator Target Account Domain: DESKTOP-UT5JEJD
Security  Audit Success  13824  2020-03-18 13:10:52    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466656 User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1654 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
Security  Audit Success  13824  2020-03-18 13:10:52    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466656 User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1654 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
Security  Audit Success  13824  2020-03-18 13:10:52    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466656 User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1654 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
Security  Audit Success  13824  2020-03-18 13:10:52    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466656 User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1654 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
Security  Audit Success  13824  2020-03-18 13:10:53    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466656 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  12544  2020-03-18 13:10:56    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 13:10:56    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  13824  2020-03-18 13:11:09    Microsoft-Windows-Security-Auditing  5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466656 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Security  Audit Success  13824  2020-03-18 13:11:27    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466656 User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1810 Process Name: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
Security  Audit Success  12544  2020-03-18 13:12:27    Microsoft-Windows-Security-Auditing  4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security  Audit Success  12548  2020-03-18 13:12:27    Microsoft-Windows-Security-Auditing  4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Security  Audit Success  13824  2020-03-18 13:16:04    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x25f0 Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe
Security  Audit Success  13824  2020-03-18 13:16:04    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x25f0 Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe
Security  Audit Success  13824  2020-03-18 13:16:04    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x25f0 Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe
Security  Audit Success  13824  2020-03-18 13:16:04    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x25f0 Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe
Security  Audit Success  13824  2020-03-18 13:27:27    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466632 User: Security ID: S-1-5-21-4230960370-218822903-690480705-500 Account Name: Administrator Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1bcc Process Name: C:\Users\redblue\Desktop\AIDA64Portable-6.20.5353\App\AIDA64Extreme\aida64.exe
Security  Audit Success  13824  2020-03-18 13:27:27    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466632 User: Security ID: S-1-5-21-4230960370-218822903-690480705-500 Account Name: Administrator Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1bcc Process Name: C:\Users\redblue\Desktop\AIDA64Portable-6.20.5353\App\AIDA64Extreme\aida64.exe
Security  Audit Success  13824  2020-03-18 13:27:27    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466632 User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1bcc Process Name: C:\Users\redblue\Desktop\AIDA64Portable-6.20.5353\App\AIDA64Extreme\aida64.exe
Security  Audit Success  13824  2020-03-18 13:27:27    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466632 User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1bcc Process Name: C:\Users\redblue\Desktop\AIDA64Portable-6.20.5353\App\AIDA64Extreme\aida64.exe
Security  Audit Success  13824  2020-03-18 13:27:27    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466632 User: Security ID: S-1-5-21-4230960370-218822903-690480705-503 Account Name: DefaultAccount Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1bcc Process Name: C:\Users\redblue\Desktop\AIDA64Portable-6.20.5353\App\AIDA64Extreme\aida64.exe
Security  Audit Success  13824  2020-03-18 13:27:27    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466632 User: Security ID: S-1-5-21-4230960370-218822903-690480705-503 Account Name: DefaultAccount Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1bcc Process Name: C:\Users\redblue\Desktop\AIDA64Portable-6.20.5353\App\AIDA64Extreme\aida64.exe
Security  Audit Success  13824  2020-03-18 13:27:27    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466632 User: Security ID: S-1-5-21-4230960370-218822903-690480705-504 Account Name: WDAGUtilityAccount Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1bcc Process Name: C:\Users\redblue\Desktop\AIDA64Portable-6.20.5353\App\AIDA64Extreme\aida64.exe
Security  Audit Success  13824  2020-03-18 13:27:27    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466632 User: Security ID: S-1-5-21-4230960370-218822903-690480705-504 Account Name: WDAGUtilityAccount Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1bcc Process Name: C:\Users\redblue\Desktop\AIDA64Portable-6.20.5353\App\AIDA64Extreme\aida64.exe
Security  Audit Success  13824  2020-03-18 13:27:27    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466632 User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1bcc Process Name: C:\Users\redblue\Desktop\AIDA64Portable-6.20.5353\App\AIDA64Extreme\aida64.exe
Security  Audit Success  13824  2020-03-18 13:27:27    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466632 User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1bcc Process Name: C:\Users\redblue\Desktop\AIDA64Portable-6.20.5353\App\AIDA64Extreme\aida64.exe
Security  Audit Success  13824  2020-03-18 13:27:29    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466632 User: Security ID: S-1-5-21-4230960370-218822903-690480705-500 Account Name: Administrator Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1bcc Process Name: C:\Users\redblue\Desktop\AIDA64Portable-6.20.5353\App\AIDA64Extreme\aida64.exe
Security  Audit Success  13824  2020-03-18 13:27:29    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466632 User: Security ID: S-1-5-21-4230960370-218822903-690480705-500 Account Name: Administrator Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1bcc Process Name: C:\Users\redblue\Desktop\AIDA64Portable-6.20.5353\App\AIDA64Extreme\aida64.exe
Security  Audit Success  13824  2020-03-18 13:27:29    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466632 User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1bcc Process Name: C:\Users\redblue\Desktop\AIDA64Portable-6.20.5353\App\AIDA64Extreme\aida64.exe
Security  Audit Success  13824  2020-03-18 13:27:29    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466632 User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1bcc Process Name: C:\Users\redblue\Desktop\AIDA64Portable-6.20.5353\App\AIDA64Extreme\aida64.exe
Security  Audit Success  13826  2020-03-18 13:27:29    Microsoft-Windows-Security-Auditing  4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466632 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x1bcc Process Name: C:\Users\redblue\Desktop\AIDA64Portable-6.20.5353\App\AIDA64Extreme\aida64.exe
Security  Audit Success  13824  2020-03-18 13:27:31    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466632 User: Security ID: S-1-5-21-4230960370-218822903-690480705-500 Account Name: Administrator Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1bcc Process Name: C:\Users\redblue\Desktop\AIDA64Portable-6.20.5353\App\AIDA64Extreme\aida64.exe
Security  Audit Success  13824  2020-03-18 13:27:31    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466632 User: Security ID: S-1-5-21-4230960370-218822903-690480705-503 Account Name: DefaultAccount Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1bcc Process Name: C:\Users\redblue\Desktop\AIDA64Portable-6.20.5353\App\AIDA64Extreme\aida64.exe
Security  Audit Success  13824  2020-03-18 13:27:31    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466632 User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1bcc Process Name: C:\Users\redblue\Desktop\AIDA64Portable-6.20.5353\App\AIDA64Extreme\aida64.exe
Security  Audit Success  13824  2020-03-18 13:27:31    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466632 User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1bcc Process Name: C:\Users\redblue\Desktop\AIDA64Portable-6.20.5353\App\AIDA64Extreme\aida64.exe
Security  Audit Success  13824  2020-03-18 13:27:31    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466632 User: Security ID: S-1-5-21-4230960370-218822903-690480705-504 Account Name: WDAGUtilityAccount Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1bcc Process Name: C:\Users\redblue\Desktop\AIDA64Portable-6.20.5353\App\AIDA64Extreme\aida64.exe
Security  Audit Success  13824  2020-03-18 13:27:31    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466632 User: Security ID: S-1-5-21-4230960370-218822903-690480705-500 Account Name: Administrator Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1bcc Process Name: C:\Users\redblue\Desktop\AIDA64Portable-6.20.5353\App\AIDA64Extreme\aida64.exe
Security  Audit Success  13824  2020-03-18 13:27:31    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466632 User: Security ID: S-1-5-21-4230960370-218822903-690480705-500 Account Name: Administrator Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1bcc Process Name: C:\Users\redblue\Desktop\AIDA64Portable-6.20.5353\App\AIDA64Extreme\aida64.exe
Security  Audit Success  13824  2020-03-18 13:30:05    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466632 User: Security ID: S-1-5-21-4230960370-218822903-690480705-500 Account Name: Administrator Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1bcc Process Name: C:\Users\redblue\Desktop\AIDA64Portable-6.20.5353\App\AIDA64Extreme\aida64.exe
Security  Audit Success  13824  2020-03-18 13:30:05    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466632 User: Security ID: S-1-5-21-4230960370-218822903-690480705-503 Account Name: DefaultAccount Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1bcc Process Name: C:\Users\redblue\Desktop\AIDA64Portable-6.20.5353\App\AIDA64Extreme\aida64.exe
Security  Audit Success  13824  2020-03-18 13:30:05    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466632 User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1bcc Process Name: C:\Users\redblue\Desktop\AIDA64Portable-6.20.5353\App\AIDA64Extreme\aida64.exe
Security  Audit Success  13824  2020-03-18 13:30:05    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466632 User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1bcc Process Name: C:\Users\redblue\Desktop\AIDA64Portable-6.20.5353\App\AIDA64Extreme\aida64.exe
Security  Audit Success  13824  2020-03-18 13:30:05    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466632 User: Security ID: S-1-5-21-4230960370-218822903-690480705-504 Account Name: WDAGUtilityAccount Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1bcc Process Name: C:\Users\redblue\Desktop\AIDA64Portable-6.20.5353\App\AIDA64Extreme\aida64.exe
Security  Audit Success  13824  2020-03-18 13:30:05    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466632 User: Security ID: S-1-5-21-4230960370-218822903-690480705-500 Account Name: Administrator Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1bcc Process Name: C:\Users\redblue\Desktop\AIDA64Portable-6.20.5353\App\AIDA64Extreme\aida64.exe
Security  Audit Success  13824  2020-03-18 13:30:05    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466632 User: Security ID: S-1-5-21-4230960370-218822903-690480705-503 Account Name: DefaultAccount Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1bcc Process Name: C:\Users\redblue\Desktop\AIDA64Portable-6.20.5353\App\AIDA64Extreme\aida64.exe
Security  Audit Success  13824  2020-03-18 13:30:05    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466632 User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1bcc Process Name: C:\Users\redblue\Desktop\AIDA64Portable-6.20.5353\App\AIDA64Extreme\aida64.exe
Security  Audit Success  13824  2020-03-18 13:30:05    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466632 User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1bcc Process Name: C:\Users\redblue\Desktop\AIDA64Portable-6.20.5353\App\AIDA64Extreme\aida64.exe
Security  Audit Success  13824  2020-03-18 13:30:05    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466632 User: Security ID: S-1-5-21-4230960370-218822903-690480705-504 Account Name: WDAGUtilityAccount Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1bcc Process Name: C:\Users\redblue\Desktop\AIDA64Portable-6.20.5353\App\AIDA64Extreme\aida64.exe
Security  Audit Success  13824  2020-03-18 13:30:05    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466632 User: Security ID: S-1-5-21-4230960370-218822903-690480705-500 Account Name: Administrator Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1bcc Process Name: C:\Users\redblue\Desktop\AIDA64Portable-6.20.5353\App\AIDA64Extreme\aida64.exe
Security  Audit Success  13824  2020-03-18 13:30:05    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466632 User: Security ID: S-1-5-21-4230960370-218822903-690480705-500 Account Name: Administrator Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1bcc Process Name: C:\Users\redblue\Desktop\AIDA64Portable-6.20.5353\App\AIDA64Extreme\aida64.exe
Security  Audit Success  13824  2020-03-18 13:30:05    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466632 User: Security ID: S-1-5-21-4230960370-218822903-690480705-503 Account Name: DefaultAccount Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1bcc Process Name: C:\Users\redblue\Desktop\AIDA64Portable-6.20.5353\App\AIDA64Extreme\aida64.exe
Security  Audit Success  13824  2020-03-18 13:30:05    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466632 User: Security ID: S-1-5-21-4230960370-218822903-690480705-503 Account Name: DefaultAccount Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1bcc Process Name: C:\Users\redblue\Desktop\AIDA64Portable-6.20.5353\App\AIDA64Extreme\aida64.exe
Security  Audit Success  13824  2020-03-18 13:30:05    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466632 User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1bcc Process Name: C:\Users\redblue\Desktop\AIDA64Portable-6.20.5353\App\AIDA64Extreme\aida64.exe
Security  Audit Success  13824  2020-03-18 13:30:05    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466632 User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1bcc Process Name: C:\Users\redblue\Desktop\AIDA64Portable-6.20.5353\App\AIDA64Extreme\aida64.exe
Security  Audit Success  13824  2020-03-18 13:30:05    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466632 User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1bcc Process Name: C:\Users\redblue\Desktop\AIDA64Portable-6.20.5353\App\AIDA64Extreme\aida64.exe
Security  Audit Success  13824  2020-03-18 13:30:05    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466632 User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1bcc Process Name: C:\Users\redblue\Desktop\AIDA64Portable-6.20.5353\App\AIDA64Extreme\aida64.exe
Security  Audit Success  13824  2020-03-18 13:30:05    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466632 User: Security ID: S-1-5-21-4230960370-218822903-690480705-504 Account Name: WDAGUtilityAccount Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1bcc Process Name: C:\Users\redblue\Desktop\AIDA64Portable-6.20.5353\App\AIDA64Extreme\aida64.exe
Security  Audit Success  13824  2020-03-18 13:30:05    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466632 User: Security ID: S-1-5-21-4230960370-218822903-690480705-504 Account Name: WDAGUtilityAccount Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1bcc Process Name: C:\Users\redblue\Desktop\AIDA64Portable-6.20.5353\App\AIDA64Extreme\aida64.exe
Security  Audit Success  13824  2020-03-18 13:30:05    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466632 User: Security ID: S-1-5-21-4230960370-218822903-690480705-500 Account Name: Administrator Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1bcc Process Name: C:\Users\redblue\Desktop\AIDA64Portable-6.20.5353\App\AIDA64Extreme\aida64.exe
Security  Audit Success  13824  2020-03-18 13:30:05    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466632 User: Security ID: S-1-5-21-4230960370-218822903-690480705-500 Account Name: Administrator Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1bcc Process Name: C:\Users\redblue\Desktop\AIDA64Portable-6.20.5353\App\AIDA64Extreme\aida64.exe
Security  Audit Success  13824  2020-03-18 13:30:05    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466632 User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1bcc Process Name: C:\Users\redblue\Desktop\AIDA64Portable-6.20.5353\App\AIDA64Extreme\aida64.exe
Security  Audit Success  13824  2020-03-18 13:30:05    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466632 User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1bcc Process Name: C:\Users\redblue\Desktop\AIDA64Portable-6.20.5353\App\AIDA64Extreme\aida64.exe
Security  Audit Success  13824  2020-03-18 13:30:05    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466632 User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1bcc Process Name: C:\Users\redblue\Desktop\AIDA64Portable-6.20.5353\App\AIDA64Extreme\aida64.exe
Security  Audit Success  13824  2020-03-18 13:30:05    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466632 User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1bcc Process Name: C:\Users\redblue\Desktop\AIDA64Portable-6.20.5353\App\AIDA64Extreme\aida64.exe
Security  Audit Success  13824  2020-03-18 13:30:05    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466632 User: Security ID: S-1-5-21-4230960370-218822903-690480705-503 Account Name: DefaultAccount Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1bcc Process Name: C:\Users\redblue\Desktop\AIDA64Portable-6.20.5353\App\AIDA64Extreme\aida64.exe
Security  Audit Success  13824  2020-03-18 13:30:05    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466632 User: Security ID: S-1-5-21-4230960370-218822903-690480705-503 Account Name: DefaultAccount Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1bcc Process Name: C:\Users\redblue\Desktop\AIDA64Portable-6.20.5353\App\AIDA64Extreme\aida64.exe
Security  Audit Success  13824  2020-03-18 13:30:05    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466632 User: Security ID: S-1-5-21-4230960370-218822903-690480705-500 Account Name: Administrator Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1bcc Process Name: C:\Users\redblue\Desktop\AIDA64Portable-6.20.5353\App\AIDA64Extreme\aida64.exe
Security  Audit Success  13824  2020-03-18 13:30:05    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466632 User: Security ID: S-1-5-21-4230960370-218822903-690480705-500 Account Name: Administrator Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1bcc Process Name: C:\Users\redblue\Desktop\AIDA64Portable-6.20.5353\App\AIDA64Extreme\aida64.exe
Security  Audit Success  13824  2020-03-18 13:30:05    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466632 User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1bcc Process Name: C:\Users\redblue\Desktop\AIDA64Portable-6.20.5353\App\AIDA64Extreme\aida64.exe
Security  Audit Success  13824  2020-03-18 13:30:05    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466632 User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1bcc Process Name: C:\Users\redblue\Desktop\AIDA64Portable-6.20.5353\App\AIDA64Extreme\aida64.exe
Security  Audit Success  13824  2020-03-18 13:30:05    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466632 User: Security ID: S-1-5-21-4230960370-218822903-690480705-503 Account Name: DefaultAccount Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1bcc Process Name: C:\Users\redblue\Desktop\AIDA64Portable-6.20.5353\App\AIDA64Extreme\aida64.exe
Security  Audit Success  13824  2020-03-18 13:30:05    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466632 User: Security ID: S-1-5-21-4230960370-218822903-690480705-503 Account Name: DefaultAccount Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1bcc Process Name: C:\Users\redblue\Desktop\AIDA64Portable-6.20.5353\App\AIDA64Extreme\aida64.exe
Security  Audit Success  13824  2020-03-18 13:30:05    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466632 User: Security ID: S-1-5-21-4230960370-218822903-690480705-504 Account Name: WDAGUtilityAccount Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1bcc Process Name: C:\Users\redblue\Desktop\AIDA64Portable-6.20.5353\App\AIDA64Extreme\aida64.exe
Security  Audit Success  13824  2020-03-18 13:30:05    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466632 User: Security ID: S-1-5-21-4230960370-218822903-690480705-504 Account Name: WDAGUtilityAccount Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1bcc Process Name: C:\Users\redblue\Desktop\AIDA64Portable-6.20.5353\App\AIDA64Extreme\aida64.exe
Security  Audit Success  13824  2020-03-18 13:30:05    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466632 User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1bcc Process Name: C:\Users\redblue\Desktop\AIDA64Portable-6.20.5353\App\AIDA64Extreme\aida64.exe
Security  Audit Success  13824  2020-03-18 13:30:05    Microsoft-Windows-Security-Auditing  4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466632 User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1bcc Process Name: C:\Users\redblue\Desktop\AIDA64Portable-6.20.5353\App\AIDA64Extreme\aida64.exe
Security  Audit Success  13826  2020-03-18 13:30:05    Microsoft-Windows-Security-Auditing  4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466632 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x1bcc Process Name: C:\Users\redblue\Desktop\AIDA64Portable-6.20.5353\App\AIDA64Extreme\aida64.exe
Security  Audit Success  13826  2020-03-18 13:30:05    Microsoft-Windows-Security-Auditing  4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466632 Group: Security ID: S-1-5-32-583 Group Name: Device Owners Group Domain: Builtin Process Information: Process ID: 0x1bcc Process Name: C:\Users\redblue\Desktop\AIDA64Portable-6.20.5353\App\AIDA64Extreme\aida64.exe
Security  Audit Success  13826  2020-03-18 13:30:05    Microsoft-Windows-Security-Auditing  4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466632 Group: Security ID: S-1-5-32-562 Group Name: Distributed COM Users Group Domain: Builtin Process Information: Process ID: 0x1bcc Process Name: C:\Users\redblue\Desktop\AIDA64Portable-6.20.5353\App\AIDA64Extreme\aida64.exe
Security  Audit Success  13826  2020-03-18 13:30:05    Microsoft-Windows-Security-Auditing  4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466632 Group: Security ID: S-1-5-32-573 Group Name: Event Log Readers Group Domain: Builtin Process Information: Process ID: 0x1bcc Process Name: C:\Users\redblue\Desktop\AIDA64Portable-6.20.5353\App\AIDA64Extreme\aida64.exe
Security  Audit Success  13826  2020-03-18 13:30:05    Microsoft-Windows-Security-Auditing  4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466632 Group: Security ID: S-1-5-32-546 Group Name: Guests Group Domain: Builtin Process Information: Process ID: 0x1bcc Process Name: C:\Users\redblue\Desktop\AIDA64Portable-6.20.5353\App\AIDA64Extreme\aida64.exe
Security  Audit Success  13826  2020-03-18 13:30:05    Microsoft-Windows-Security-Auditing  4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466632 Group: Security ID: S-1-5-32-578 Group Name: Hyper-V Administrators Group Domain: Builtin Process Information: Process ID: 0x1bcc Process Name: C:\Users\redblue\Desktop\AIDA64Portable-6.20.5353\App\AIDA64Extreme\aida64.exe
Security  Audit Success  13826  2020-03-18 13:30:05    Microsoft-Windows-Security-Auditing  4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466632 Group: Security ID: S-1-5-32-568 Group Name: IIS_IUSRS Group Domain: Builtin Process Information: Process ID: 0x1bcc Process Name: C:\Users\redblue\Desktop\AIDA64Portable-6.20.5353\App\AIDA64Extreme\aida64.exe
Security  Audit Success  13826  2020-03-18 13:30:05    Microsoft-Windows-Security-Auditing  4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466632 Group: Security ID: S-1-5-32-559 Group Name: Performance Log Users Group Domain: Builtin Process Information: Process ID: 0x1bcc Process Name: C:\Users\redblue\Desktop\AIDA64Portable-6.20.5353\App\AIDA64Extreme\aida64.exe
Security  Audit Success  13826  2020-03-18 13:30:05    Microsoft-Windows-Security-Auditing  4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466632 Group: Security ID: S-1-5-32-558 Group Name: Performance Monitor Users Group Domain: Builtin Process Information: Process ID: 0x1bcc Process Name: C:\Users\redblue\Desktop\AIDA64Portable-6.20.5353\App\AIDA64Extreme\aida64.exe
Security  Audit Success  13826  2020-03-18 13:30:05    Microsoft-Windows-Security-Auditing  4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466632 Group: Security ID: S-1-5-32-580 Group Name: Remote Management Users Group Domain: Builtin Process Information: Process ID: 0x1bcc Process Name: C:\Users\redblue\Desktop\AIDA64Portable-6.20.5353\App\AIDA64Extreme\aida64.exe
Security  Audit Success  13826  2020-03-18 13:30:05    Microsoft-Windows-Security-Auditing  4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466632 Group: Security ID: S-1-5-32-581 Group Name: System Managed Accounts Group Group Domain: Builtin Process Information: Process ID: 0x1bcc Process Name: C:\Users\redblue\Desktop\AIDA64Portable-6.20.5353\App\AIDA64Extreme\aida64.exe
Security  Audit Success  13826  2020-03-18 13:30:05    Microsoft-Windows-Security-Auditing  4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466632 Group: Security ID: S-1-5-32-545 Group Name: Users Group Domain: Builtin Process Information: Process ID: 0x1bcc Process Name: C:\Users\redblue\Desktop\AIDA64Portable-6.20.5353\App\AIDA64Extreme\aida64.exe
System  Warning  212  2020-03-18 10:09:46  SYSTEM  Microsoft-Windows-Kernel-PnP  219: The driver \Driver\WudfRd failed to load for the device PCI\VEN_8086&DEV_8A03&SUBSYS_03611854&REV_03\3&11583659&0&20.
System  Warning  212  2020-03-18 10:09:46  SYSTEM  Microsoft-Windows-Kernel-PnP  219: The driver \Driver\WudfRd failed to load for the device ACPI\GXFP5A8B\4&33f16e05&0.
System  Error  None  2020-03-18 10:09:56    EventLog  6008: The previous system shutdown at 1:38:53 AM on ?3/?16/?2020 was unexpected.
System  Warning  None  2020-03-18 10:09:57  LOCAL SERVICE  DCOM  10016: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {6B3B8D23-FA8D-40B9-8DBD-B950333E2C52} and APPID {4839DDB7-58C2-48F5-8283-E1D1807D0D7D} to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
System  Warning  None  2020-03-18 10:09:57  LOCAL SERVICE  DCOM  10016: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {6B3B8D23-FA8D-40B9-8DBD-B950333E2C52} and APPID {4839DDB7-58C2-48F5-8283-E1D1807D0D7D} to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
System  Error  None  2020-03-18 10:09:58  1332  DCOM  10010: The server {AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} did not register with DCOM within the required timeout.
System  Warning  None  2020-03-18 10:09:59  SYSTEM  Microsoft-Windows-WLAN-AutoConfig  10002: WLAN Extensibility Module has stopped. Module Path: C:\Windows\system32\IntelWifiIhv08.dll
System  Warning  None  2020-03-18 10:09:59  SYSTEM  Microsoft-Windows-WLAN-AutoConfig  10004: WLAN Extensibility Module has timed out. Module Path: C:\Windows\system32\IntelWifiIhv08.dll
System  Warning  None  2020-03-18 10:09:59  SYSTEM  Microsoft-Windows-WLAN-AutoConfig  10004: WLAN Extensibility Module has timed out. Module Path: C:\Windows\system32\IntelWifiIhv08.dll
System  Error  None  2020-03-18 10:10:00    Service Control Manager  7023: The LanmanServer service terminated with the following error: %%1115
System  Warning  212  2020-03-18 10:10:13  SYSTEM  Microsoft-Windows-Kernel-PnP  219: The driver \Driver\WudfRd failed to load for the device PCI\VEN_8086&DEV_8A03&SUBSYS_03611854&REV_03\3&11583659&0&20.
System  Warning  212  2020-03-18 10:10:14  SYSTEM  Microsoft-Windows-Kernel-PnP  219: The driver \Driver\WudfRd failed to load for the device ACPI\GXFP5A8B\4&33f16e05&0.
System  Warning  None  2020-03-18 10:10:30  LOCAL SERVICE  Microsoft-Windows-Time-Service  134: NtpClient was unable to set a manual peer to use as a time source because of DNS resolution error on 'time.windows.com,0x9'. NtpClient will try again in 15 minutes and double the reattempt interval thereafter. The error was: No such host is known. (0x80072AF9)
System  Warning  None  2020-03-18 10:10:32  LOCAL SERVICE  Microsoft-Windows-Time-Service  134: NtpClient was unable to set a manual peer to use as a time source because of DNS resolution error on 'time.windows.com,0x9'. NtpClient will try again in 15 minutes and double the reattempt interval thereafter. The error was: No such host is known. (0x80072AF9)
System  Error  None  2020-03-18 10:11:12    Service Control Manager  7009: A timeout was reached (45000 milliseconds) while waiting for the SynaAssist service to connect.
System  Error  None  2020-03-18 10:11:12    Service Control Manager  7000: The SynaAssist service failed to start due to the following error: %%1053
System  Warning  7  2020-03-18 10:11:25  SYSTEM  Microsoft-Windows-Kernel-Processor-Power  37: The speed of Hyper-V logical processor 7 is being limited by system firmware. The processor has been in this reduced performance state for 71 seconds since the last report.
System  Warning  None  2020-03-18 10:15:20  LOCAL SERVICE  Microsoft-Windows-Time-Service  134: NtpClient was unable to set a manual peer to use as a time source because of DNS resolution error on 'time.windows.com,0x9'. NtpClient will try again in 15 minutes and double the reattempt interval thereafter. The error was: No such host is known. (0x80072AF9)
System  Warning  None  2020-03-18 10:15:52  SYSTEM  Microsoft-Windows-WLAN-AutoConfig  10002: WLAN Extensibility Module has stopped. Module Path: C:\Windows\system32\IntelWifiIhv08.dll
System  Warning  212  2020-03-18 10:16:04  SYSTEM  Microsoft-Windows-Kernel-PnP  219: The driver \Driver\WudfRd failed to load for the device PCI\VEN_8086&DEV_8A03&SUBSYS_03611854&REV_03\3&11583659&0&20.
System  Warning  212  2020-03-18 10:16:04  SYSTEM  Microsoft-Windows-Kernel-PnP  219: The driver \Driver\WudfRd failed to load for the device ACPI\GXFP5A8B\4&33f16e05&0.
System  Warning  None  2020-03-18 10:16:14  LOCAL SERVICE  Microsoft-Windows-Time-Service  134: NtpClient was unable to set a manual peer to use as a time source because of DNS resolution error on 'time.windows.com,0x9'. NtpClient will try again in 15 minutes and double the reattempt interval thereafter. The error was: No such host is known. (0x80072AF9)
System  Warning  None  2020-03-18 10:16:15  LOCAL SERVICE  Microsoft-Windows-Time-Service  134: NtpClient was unable to set a manual peer to use as a time source because of DNS resolution error on 'time.windows.com,0x9'. NtpClient will try again in 15 minutes and double the reattempt interval thereafter. The error was: No such host is known. (0x80072AF9)
System  Warning  None  2020-03-18 10:16:31    Netwtw08  6062: 6062 - Lso was triggered
System  Error  None  2020-03-18 10:17:01    Service Control Manager  7009: A timeout was reached (45000 milliseconds) while waiting for the SynaAssist service to connect.
System  Error  None  2020-03-18 10:17:01    Service Control Manager  7000: The SynaAssist service failed to start due to the following error: %%1053
System  Warning  None  2020-03-18 10:17:02  LOCAL SERVICE  DCOM  10016: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {6B3B8D23-FA8D-40B9-8DBD-B950333E2C52} and APPID {4839DDB7-58C2-48F5-8283-E1D1807D0D7D} to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
System  Warning  None  2020-03-18 10:17:02  LOCAL SERVICE  DCOM  10016: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {6B3B8D23-FA8D-40B9-8DBD-B950333E2C52} and APPID {4839DDB7-58C2-48F5-8283-E1D1807D0D7D} to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
System  Warning  1014  2020-03-18 10:17:04  NETWORK SERVICE  Microsoft-Windows-DNS-Client  1014: Name resolution for the name settings-win.data.microsoft.com timed out after none of the configured DNS servers responded.
System  Warning  7  2020-03-18 10:17:15  SYSTEM  Microsoft-Windows-Kernel-Processor-Power  37: The speed of Hyper-V logical processor 7 is being limited by system firmware. The processor has been in this reduced performance state for 71 seconds since the last report.
System  Error  None  2020-03-18 10:18:49    Service Control Manager  7023: The Windows Modules Installer service terminated with the following error: %%16389
System  Error  None  2020-03-18 10:18:51  SYSTEM  DCOM  10005: DCOM got error "1115" attempting to start the service TrustedInstaller with arguments "Unavailable" in order to run the server: {752073A1-23F2-4396-85F0-8FDB879ED0ED}
System  Warning  None  2020-03-18 10:18:54  SYSTEM  Microsoft-Windows-WLAN-AutoConfig  10002: WLAN Extensibility Module has stopped. Module Path: C:\Windows\system32\IntelWifiIhv08.dll
System  Warning  212  2020-03-18 10:19:07  SYSTEM  Microsoft-Windows-Kernel-PnP  219: The driver \Driver\WudfRd failed to load for the device PCI\VEN_8086&DEV_8A03&SUBSYS_03611854&REV_03\3&11583659&0&20.
System  Warning  212  2020-03-18 10:19:07  SYSTEM  Microsoft-Windows-Kernel-PnP  219: The driver \Driver\WudfRd failed to load for the device ACPI\GXFP5A8B\4&33f16e05&0.
System  Error  None  2020-03-18 10:20:01    Service Control Manager  7009: A timeout was reached (45000 milliseconds) while waiting for the SynaAssist service to connect.
System  Error  None  2020-03-18 10:20:01    Service Control Manager  7000: The SynaAssist service failed to start due to the following error: %%1053
System  Warning  None  2020-03-18 10:20:01  LOCAL SERVICE  DCOM  10016: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {6B3B8D23-FA8D-40B9-8DBD-B950333E2C52} and APPID {4839DDB7-58C2-48F5-8283-E1D1807D0D7D} to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
System  Warning  None  2020-03-18 10:20:01  LOCAL SERVICE  DCOM  10016: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {6B3B8D23-FA8D-40B9-8DBD-B950333E2C52} and APPID {4839DDB7-58C2-48F5-8283-E1D1807D0D7D} to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
System  Warning  7  2020-03-18 10:20:18  SYSTEM  Microsoft-Windows-Kernel-Processor-Power  37: The speed of Hyper-V logical processor 7 is being limited by system firmware. The processor has been in this reduced performance state for 71 seconds since the last report.
System  Warning  None  2020-03-18 10:23:49  LOCAL SERVICE  DCOM  10016: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {6B3B8D23-FA8D-40B9-8DBD-B950333E2C52} and APPID {4839DDB7-58C2-48F5-8283-E1D1807D0D7D} to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
System  Warning  None  2020-03-18 10:23:49  LOCAL SERVICE  DCOM  10016: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {6B3B8D23-FA8D-40B9-8DBD-B950333E2C52} and APPID {4839DDB7-58C2-48F5-8283-E1D1807D0D7D} to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
System  Warning  None  2020-03-18 10:25:57  redblue  DCOM  10016: The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID {C2F03A33-21F5-47FA-B4BB-156362A2F239} and APPID {316CDED5-E4AE-4B15-9113-7055D84DCC97} to the user DESKTOP-UT5JEJD\redblue SID (S-1-5-21-4230960370-218822903-690480705-1002) from address LocalHost (Using LRPC) running in the application container Microsoft.Windows.ShellExperienceHost_10.0.18362.449_neutral_neutral_cw5n1h2txyewy SID (S-1-15-2-155514346-2573954481-755741238-1654018636-1233331829-3075935687-2861478708). This security permission can be modified using the Component Services administrative tool.
System  Warning  None  2020-03-18 10:34:17    Netwtw08  6062: 6062 - Lso was triggered
System  Error  None  2020-03-18 10:34:34  redblue  DCOM  10010: The server Microsoft.XboxGamingOverlay_2.26.14003.0_x64__8wekyb3d8bbwe!App.AppXrfdt3p0f38tc4nxz7ajrd5as6ctb0dck.mca did not register with DCOM within the required timeout.
System  Warning  1014  2020-03-18 10:34:59  NETWORK SERVICE  Microsoft-Windows-DNS-Client  1014: Name resolution for the name ris.api.iris.microsoft.com timed out after none of the configured DNS servers responded.
System  Warning  None  2020-03-18 10:44:47  redblue  DCOM  10016: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {2593F8B9-4EAF-457C-B68A-50F6B8EA6B54} and APPID {15C20B67-12E7-4BB6-92BB-7AFF07997402} to the user DESKTOP-UT5JEJD\redblue SID (S-1-5-21-4230960370-218822903-690480705-1002) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
System  Warning  None  2020-03-18 10:48:04  redblue  DCOM  10016: The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID {C2F03A33-21F5-47FA-B4BB-156362A2F239} and APPID {316CDED5-E4AE-4B15-9113-7055D84DCC97} to the user DESKTOP-UT5JEJD\redblue SID (S-1-5-21-4230960370-218822903-690480705-1002) from address LocalHost (Using LRPC) running in the application container Microsoft.Windows.ShellExperienceHost_10.0.18362.449_neutral_neutral_cw5n1h2txyewy SID (S-1-15-2-155514346-2573954481-755741238-1654018636-1233331829-3075935687-2861478708). This security permission can be modified using the Component Services administrative tool.
System  Warning  None  2020-03-18 10:52:31  redblue  DCOM  10016: The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID {C2F03A33-21F5-47FA-B4BB-156362A2F239} and APPID {316CDED5-E4AE-4B15-9113-7055D84DCC97} to the user DESKTOP-UT5JEJD\redblue SID (S-1-5-21-4230960370-218822903-690480705-1002) from address LocalHost (Using LRPC) running in the application container Microsoft.Windows.ShellExperienceHost_10.0.18362.449_neutral_neutral_cw5n1h2txyewy SID (S-1-15-2-155514346-2573954481-755741238-1654018636-1233331829-3075935687-2861478708). This security permission can be modified using the Component Services administrative tool.
System  Warning  None  2020-03-18 10:55:41  redblue  DCOM  10016: The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID {C2F03A33-21F5-47FA-B4BB-156362A2F239} and APPID {316CDED5-E4AE-4B15-9113-7055D84DCC97} to the user DESKTOP-UT5JEJD\redblue SID (S-1-5-21-4230960370-218822903-690480705-1002) from address LocalHost (Using LRPC) running in the application container Microsoft.Windows.ShellExperienceHost_10.0.18362.449_neutral_neutral_cw5n1h2txyewy SID (S-1-15-2-155514346-2573954481-755741238-1654018636-1233331829-3075935687-2861478708). This security permission can be modified using the Component Services administrative tool.
System  Warning  None  2020-03-18 10:57:05  redblue  DCOM  10016: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {2593F8B9-4EAF-457C-B68A-50F6B8EA6B54} and APPID {15C20B67-12E7-4BB6-92BB-7AFF07997402} to the user DESKTOP-UT5JEJD\redblue SID (S-1-5-21-4230960370-218822903-690480705-1002) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
System  Warning  None  2020-03-18 11:05:15  SYSTEM  Microsoft-Windows-WLAN-AutoConfig  10002: WLAN Extensibility Module has stopped. Module Path: C:\Windows\system32\IntelWifiIhv08.dll
System  Warning  212  2020-03-18 11:05:26  SYSTEM  Microsoft-Windows-Kernel-PnP  219: The driver \Driver\WudfRd failed to load for the device PCI\VEN_8086&DEV_8A03&SUBSYS_03611854&REV_03\3&11583659&0&20.
System  Warning  212  2020-03-18 11:05:26  SYSTEM  Microsoft-Windows-Kernel-PnP  219: The driver \Driver\WudfRd failed to load for the device ACPI\GXFP5A8B\4&33f16e05&0.
System  Error  None  2020-03-18 11:06:20    Service Control Manager  7009: A timeout was reached (45000 milliseconds) while waiting for the SynaAssist service to connect.
System  Error  None  2020-03-18 11:06:20    Service Control Manager  7000: The SynaAssist service failed to start due to the following error: %%1053
System  Warning  7  2020-03-18 11:06:38  SYSTEM  Microsoft-Windows-Kernel-Processor-Power  37: The speed of Hyper-V logical processor 7 is being limited by system firmware. The processor has been in this reduced performance state for 71 seconds since the last report.
System  Warning  None  2020-03-18 11:06:59  redblue  DCOM  10016: The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID {C2F03A33-21F5-47FA-B4BB-156362A2F239} and APPID {316CDED5-E4AE-4B15-9113-7055D84DCC97} to the user DESKTOP-UT5JEJD\redblue SID (S-1-5-21-4230960370-218822903-690480705-1002) from address LocalHost (Using LRPC) running in the application container Microsoft.Windows.ShellExperienceHost_10.0.18362.449_neutral_neutral_cw5n1h2txyewy SID (S-1-15-2-155514346-2573954481-755741238-1654018636-1233331829-3075935687-2861478708). This security permission can be modified using the Component Services administrative tool.
System  Warning  None  2020-03-18 11:07:06  redblue  DCOM  10016: The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID {C2F03A33-21F5-47FA-B4BB-156362A2F239} and APPID {316CDED5-E4AE-4B15-9113-7055D84DCC97} to the user DESKTOP-UT5JEJD\redblue SID (S-1-5-21-4230960370-218822903-690480705-1002) from address LocalHost (Using LRPC) running in the application container Microsoft.Windows.ShellExperienceHost_10.0.18362.449_neutral_neutral_cw5n1h2txyewy SID (S-1-15-2-155514346-2573954481-755741238-1654018636-1233331829-3075935687-2861478708). This security permission can be modified using the Component Services administrative tool.
System  Warning  None  2020-03-18 11:07:41  redblue  DCOM  10016: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {2593F8B9-4EAF-457C-B68A-50F6B8EA6B54} and APPID {15C20B67-12E7-4BB6-92BB-7AFF07997402} to the user DESKTOP-UT5JEJD\redblue SID (S-1-5-21-4230960370-218822903-690480705-1002) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
System  Warning  None  2020-03-18 11:08:07    Netwtw08  6062: 6062 - Lso was triggered
System  Warning  None  2020-03-18 11:08:22  SYSTEM  DCOM  10016: The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID Windows.SecurityCenter.WscDataProtection and APPID Unavailable to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
System  Warning  None  2020-03-18 11:08:22  SYSTEM  DCOM  10016: The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID Windows.SecurityCenter.WscBrokerManager and APPID Unavailable to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
System  Warning  None  2020-03-18 11:08:22  SYSTEM  DCOM  10016: The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID Windows.SecurityCenter.SecurityAppBroker and APPID Unavailable to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
System  Warning  None  2020-03-18 11:10:57  SYSTEM  Microsoft-Windows-WLAN-AutoConfig  10002: WLAN Extensibility Module has stopped. Module Path: C:\Windows\system32\IntelWifiIhv08.dll
System  Warning  212  2020-03-18 11:13:04  SYSTEM  Microsoft-Windows-Kernel-PnP  219: The driver \Driver\WudfRd failed to load for the device PCI\VEN_8086&DEV_8A03&SUBSYS_03611854&REV_03\3&11583659&0&20.
System  Warning  212  2020-03-18 11:13:04  SYSTEM  Microsoft-Windows-Kernel-PnP  219: The driver \Driver\WudfRd failed to load for the device ACPI\GXFP5A8B\4&33f16e05&0.
System  Warning  None  2020-03-18 11:13:17    Netwtw08  6062: 6062 - Lso was triggered
System  Warning  None  2020-03-18 11:13:27  redblue  DCOM  10016: The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID {C2F03A33-21F5-47FA-B4BB-156362A2F239} and APPID {316CDED5-E4AE-4B15-9113-7055D84DCC97} to the user DESKTOP-UT5JEJD\redblue SID (S-1-5-21-4230960370-218822903-690480705-1002) from address LocalHost (Using LRPC) running in the application container Microsoft.Windows.ShellExperienceHost_10.0.18362.449_neutral_neutral_cw5n1h2txyewy SID (S-1-15-2-155514346-2573954481-755741238-1654018636-1233331829-3075935687-2861478708). This security permission can be modified using the Component Services administrative tool.
System  Error  None  2020-03-18 11:13:57    Service Control Manager  7009: A timeout was reached (45000 milliseconds) while waiting for the SynaAssist service to connect.
System  Error  None  2020-03-18 11:13:57    Service Control Manager  7000: The SynaAssist service failed to start due to the following error: %%1053
System  Warning  None  2020-03-18 11:14:01  redblue  DCOM  10016: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {2593F8B9-4EAF-457C-B68A-50F6B8EA6B54} and APPID {15C20B67-12E7-4BB6-92BB-7AFF07997402} to the user DESKTOP-UT5JEJD\redblue SID (S-1-5-21-4230960370-218822903-690480705-1002) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
System  Warning  7  2020-03-18 11:14:15  SYSTEM  Microsoft-Windows-Kernel-Processor-Power  37: The speed of Hyper-V logical processor 7 is being limited by system firmware. The processor has been in this reduced performance state for 71 seconds since the last report.
System  Warning  None  2020-03-18 11:15:58  SYSTEM  DCOM  10016: The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID Windows.SecurityCenter.SecurityAppBroker and APPID Unavailable to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
System  Warning  None  2020-03-18 11:15:58  SYSTEM  DCOM  10016: The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID Windows.SecurityCenter.WscBrokerManager and APPID Unavailable to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
System  Warning  None  2020-03-18 11:15:58  SYSTEM  DCOM  10016: The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID Windows.SecurityCenter.WscDataProtection and APPID Unavailable to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
System  Warning  None  2020-03-18 11:16:11  redblue  DCOM  10016: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {2593F8B9-4EAF-457C-B68A-50F6B8EA6B54} and APPID {15C20B67-12E7-4BB6-92BB-7AFF07997402} to the user DESKTOP-UT5JEJD\redblue SID (S-1-5-21-4230960370-218822903-690480705-1002) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
System  Warning  None  2020-03-18 11:20:51  redblue  DCOM  10016: The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID {C2F03A33-21F5-47FA-B4BB-156362A2F239} and APPID {316CDED5-E4AE-4B15-9113-7055D84DCC97} to the user DESKTOP-UT5JEJD\redblue SID (S-1-5-21-4230960370-218822903-690480705-1002) from address LocalHost (Using LRPC) running in the application container Microsoft.Windows.ShellExperienceHost_10.0.18362.449_neutral_neutral_cw5n1h2txyewy SID (S-1-15-2-155514346-2573954481-755741238-1654018636-1233331829-3075935687-2861478708). This security permission can be modified using the Component Services administrative tool.
System  Warning  None  2020-03-18 11:27:12  redblue  DCOM  10016: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {2593F8B9-4EAF-457C-B68A-50F6B8EA6B54} and APPID {15C20B67-12E7-4BB6-92BB-7AFF07997402} to the user DESKTOP-UT5JEJD\redblue SID (S-1-5-21-4230960370-218822903-690480705-1002) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
System  Warning  None  2020-03-18 11:30:52  SYSTEM  Microsoft-Windows-WLAN-AutoConfig  10002: WLAN Extensibility Module has stopped. Module Path: C:\Windows\system32\IntelWifiIhv08.dll
System  Warning  None  2020-03-18 11:31:02    Netwtw08  6062: 6062 - Lso was triggered
System  Warning  None  2020-03-18 11:36:49  redblue  DCOM  10016: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {2593F8B9-4EAF-457C-B68A-50F6B8EA6B54} and APPID {15C20B67-12E7-4BB6-92BB-7AFF07997402} to the user DESKTOP-UT5JEJD\redblue SID (S-1-5-21-4230960370-218822903-690480705-1002) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
System  Warning  None  2020-03-18 11:38:02  SYSTEM  Microsoft-Windows-WLAN-AutoConfig  10002: WLAN Extensibility Module has stopped. Module Path: C:\Windows\system32\IntelIHVRouter08.dll
System  Warning  212  2020-03-18 11:38:15  SYSTEM  Microsoft-Windows-Kernel-PnP  219: The driver \Driver\WudfRd failed to load for the device PCI\VEN_8086&DEV_8A03&SUBSYS_03611854&REV_03\3&11583659&0&20.
System  Warning  212  2020-03-18 11:38:16  SYSTEM  Microsoft-Windows-Kernel-PnP  219: The driver \Driver\WudfRd failed to load for the device ACPI\GXFP5A8B\4&33f16e05&0.
System  Warning  None  2020-03-18 11:38:28    Netwtw08  6062: 6062 - Lso was triggered
System  Error  None  2020-03-18 11:39:08    Service Control Manager  7009: A timeout was reached (45000 milliseconds) while waiting for the SynaAssist service to connect.
System  Error  None  2020-03-18 11:39:08    Service Control Manager  7000: The SynaAssist service failed to start due to the following error: %%1053
System  Warning  7  2020-03-18 11:39:27  SYSTEM  Microsoft-Windows-Kernel-Processor-Power  37: The speed of Hyper-V logical processor 7 is being limited by system firmware. The processor has been in this reduced performance state for 71 seconds since the last report.
System  Warning  None  2020-03-18 11:39:35  redblue  DCOM  10016: The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID {C2F03A33-21F5-47FA-B4BB-156362A2F239} and APPID {316CDED5-E4AE-4B15-9113-7055D84DCC97} to the user DESKTOP-UT5JEJD\redblue SID (S-1-5-21-4230960370-218822903-690480705-1002) from address LocalHost (Using LRPC) running in the application container Microsoft.Windows.ShellExperienceHost_10.0.18362.449_neutral_neutral_cw5n1h2txyewy SID (S-1-15-2-155514346-2573954481-755741238-1654018636-1233331829-3075935687-2861478708). This security permission can be modified using the Component Services administrative tool.
System  Warning  None  2020-03-18 11:40:12  redblue  DCOM  10016: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {2593F8B9-4EAF-457C-B68A-50F6B8EA6B54} and APPID {15C20B67-12E7-4BB6-92BB-7AFF07997402} to the user DESKTOP-UT5JEJD\redblue SID (S-1-5-21-4230960370-218822903-690480705-1002) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
System  Warning  None  2020-03-18 11:41:10  SYSTEM  DCOM  10016: The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID Windows.SecurityCenter.SecurityAppBroker and APPID Unavailable to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
System  Warning  None  2020-03-18 11:41:10  SYSTEM  DCOM  10016: The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID Windows.SecurityCenter.WscBrokerManager and APPID Unavailable to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
System  Warning  None  2020-03-18 11:41:10  SYSTEM  DCOM  10016: The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID Windows.SecurityCenter.WscDataProtection and APPID Unavailable to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
System  Warning  None  2020-03-18 11:46:06  redblue  DCOM  10016: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {2593F8B9-4EAF-457C-B68A-50F6B8EA6B54} and APPID {15C20B67-12E7-4BB6-92BB-7AFF07997402} to the user DESKTOP-UT5JEJD\redblue SID (S-1-5-21-4230960370-218822903-690480705-1002) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
System  Warning  None  2020-03-18 11:52:12  redblue  DCOM  10016: The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID {C2F03A33-21F5-47FA-B4BB-156362A2F239} and APPID {316CDED5-E4AE-4B15-9113-7055D84DCC97} to the user DESKTOP-UT5JEJD\redblue SID (S-1-5-21-4230960370-218822903-690480705-1002) from address LocalHost (Using LRPC) running in the application container Microsoft.Windows.ShellExperienceHost_10.0.18362.449_neutral_neutral_cw5n1h2txyewy SID (S-1-15-2-155514346-2573954481-755741238-1654018636-1233331829-3075935687-2861478708). This security permission can be modified using the Component Services administrative tool.
System  Warning  None  2020-03-18 11:52:15  redblue  DCOM  10016: The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID {C2F03A33-21F5-47FA-B4BB-156362A2F239} and APPID {316CDED5-E4AE-4B15-9113-7055D84DCC97} to the user DESKTOP-UT5JEJD\redblue SID (S-1-5-21-4230960370-218822903-690480705-1002) from address LocalHost (Using LRPC) running in the application container Microsoft.Windows.ShellExperienceHost_10.0.18362.449_neutral_neutral_cw5n1h2txyewy SID (S-1-15-2-155514346-2573954481-755741238-1654018636-1233331829-3075935687-2861478708). This security permission can be modified using the Component Services administrative tool.
System  Warning  None  2020-03-18 11:52:47  redblue  DCOM  10016: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {2593F8B9-4EAF-457C-B68A-50F6B8EA6B54} and APPID {15C20B67-12E7-4BB6-92BB-7AFF07997402} to the user DESKTOP-UT5JEJD\redblue SID (S-1-5-21-4230960370-218822903-690480705-1002) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
System  Warning  None  2020-03-18 11:55:28  redblue  DCOM  10016: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {2593F8B9-4EAF-457C-B68A-50F6B8EA6B54} and APPID {15C20B67-12E7-4BB6-92BB-7AFF07997402} to the user DESKTOP-UT5JEJD\redblue SID (S-1-5-21-4230960370-218822903-690480705-1002) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
System  Warning  None  2020-03-18 11:56:30  SYSTEM  Microsoft-Windows-WLAN-AutoConfig  10002: WLAN Extensibility Module has stopped. Module Path: C:\Windows\system32\IntelIHVRouter08.dll
System  Warning  212  2020-03-18 11:56:43  SYSTEM  Microsoft-Windows-Kernel-PnP  219: The driver \Driver\WudfRd failed to load for the device PCI\VEN_8086&DEV_8A03&SUBSYS_03611854&REV_03\3&11583659&0&20.
System  Warning  212  2020-03-18 11:56:44  SYSTEM  Microsoft-Windows-Kernel-PnP  219: The driver \Driver\WudfRd failed to load for the device ACPI\GXFP5A8B\4&33f16e05&0.
System  Warning  None  2020-03-18 11:56:55    Netwtw08  6062: 6062 - Lso was triggered
System  Error  None  2020-03-18 11:57:35    Service Control Manager  7009: A timeout was reached (45000 milliseconds) while waiting for the SynaAssist service to connect.
System  Error  None  2020-03-18 11:57:35    Service Control Manager  7000: The SynaAssist service failed to start due to the following error: %%1053
System  Warning  None  2020-03-18 11:57:36  SYSTEM  Microsoft-Windows-WLAN-AutoConfig  10002: WLAN Extensibility Module has stopped. Module Path: C:\Windows\system32\IntelIHVRouter08.dll
System  Warning  212  2020-03-18 11:57:49  SYSTEM  Microsoft-Windows-Kernel-PnP  219: The driver \Driver\WudfRd failed to load for the device PCI\VEN_8086&DEV_8A03&SUBSYS_03611854&REV_03\3&11583659&0&20.
System  Warning  212  2020-03-18 11:57:50  SYSTEM  Microsoft-Windows-Kernel-PnP  219: The driver \Driver\WudfRd failed to load for the device ACPI\GXFP5A8B\4&33f16e05&0.
System  Warning  None  2020-03-18 11:58:01    Netwtw08  6062: 6062 - Lso was triggered
System  Error  None  2020-03-18 11:58:42    Service Control Manager  7009: A timeout was reached (45000 milliseconds) while waiting for the SynaAssist service to connect.
System  Error  None  2020-03-18 11:58:42    Service Control Manager  7000: The SynaAssist service failed to start due to the following error: %%1053
System  Warning  None  2020-03-18 11:59:01  redblue  DCOM  10016: The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID {C2F03A33-21F5-47FA-B4BB-156362A2F239} and APPID {316CDED5-E4AE-4B15-9113-7055D84DCC97} to the user DESKTOP-UT5JEJD\redblue SID (S-1-5-21-4230960370-218822903-690480705-1002) from address LocalHost (Using LRPC) running in the application container Microsoft.Windows.ShellExperienceHost_10.0.18362.449_neutral_neutral_cw5n1h2txyewy SID (S-1-15-2-155514346-2573954481-755741238-1654018636-1233331829-3075935687-2861478708). This security permission can be modified using the Component Services administrative tool.
System  Warning  7  2020-03-18 11:59:01  SYSTEM  Microsoft-Windows-Kernel-Processor-Power  37: The speed of Hyper-V logical processor 7 is being limited by system firmware. The processor has been in this reduced performance state for 71 seconds since the last report.
System  Warning  None  2020-03-18 11:59:02  redblue  DCOM  10016: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {2593F8B9-4EAF-457C-B68A-50F6B8EA6B54} and APPID {15C20B67-12E7-4BB6-92BB-7AFF07997402} to the user DESKTOP-UT5JEJD\redblue SID (S-1-5-21-4230960370-218822903-690480705-1002) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
System  Warning  None  2020-03-18 12:00:44  SYSTEM  DCOM  10016: The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID Windows.SecurityCenter.WscBrokerManager and APPID Unavailable to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
System  Warning  None  2020-03-18 12:00:44  SYSTEM  DCOM  10016: The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID Windows.SecurityCenter.SecurityAppBroker and APPID Unavailable to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
System  Warning  None  2020-03-18 12:00:44  SYSTEM  DCOM  10016: The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID Windows.SecurityCenter.WscDataProtection and APPID Unavailable to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
System  Warning  None  2020-03-18 12:04:54  redblue  DCOM  10016: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {2593F8B9-4EAF-457C-B68A-50F6B8EA6B54} and APPID {15C20B67-12E7-4BB6-92BB-7AFF07997402} to the user DESKTOP-UT5JEJD\redblue SID (S-1-5-21-4230960370-218822903-690480705-1002) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
System  Error  2  2020-03-18 13:10:37    Microsoft-Windows-NDIS  10317: Miniport Microsoft Wi-Fi Direct Virtual Adapter #2, {16d1bd60-e7f5-4fd4-b8f2-eeec0cc58a2e}, had event 74
System  Warning  None  2020-03-18 13:10:47  redblue  DCOM  10016: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {2593F8B9-4EAF-457C-B68A-50F6B8EA6B54} and APPID {15C20B67-12E7-4BB6-92BB-7AFF07997402} to the user DESKTOP-UT5JEJD\redblue SID (S-1-5-21-4230960370-218822903-690480705-1002) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
System  Warning  None  2020-03-18 13:10:52    Netwtw08  6062: 6062 - Lso was triggered
System  Warning  None  2020-03-18 13:10:58  redblue  DCOM  10016: The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID {C2F03A33-21F5-47FA-B4BB-156362A2F239} and APPID {316CDED5-E4AE-4B15-9113-7055D84DCC97} to the user DESKTOP-UT5JEJD\redblue SID (S-1-5-21-4230960370-218822903-690480705-1002) from address LocalHost (Using LRPC) running in the application container Microsoft.Windows.ShellExperienceHost_10.0.18362.449_neutral_neutral_cw5n1h2txyewy SID (S-1-15-2-155514346-2573954481-755741238-1654018636-1233331829-3075935687-2861478708). This security permission can be modified using the Component Services administrative tool.


Database Software

 
Database Drivers:
Borland Database Engine  -
Borland InterBase Client  -
Easysoft ODBC-InterBase 6  -
Easysoft ODBC-InterBase 7  -
Firebird Client  -
Jet Engine  4.00.9801.20
MDAC  10.0.18362.1 (WinBuild.160101.0800)
ODBC  10.0.18362.693 (WinBuild.160101.0800)
MySQL Connector/ODBC  -
Oracle Client  -
PsqlODBC  -
Sybase ASE ODBC  -
 
Database Servers:
Borland InterBase Server  -
Firebird Server  -
Microsoft SQL Server  -
Microsoft SQL Server Compact Edition  -
Microsoft SQL Server Express Edition  -
MySQL Server  -
Oracle Server  -
PostgreSQL Server  -
Sybase SQL Server  -


ODBC Drivers

 
Driver Description  File Name  Version  File Extensions Supported
Driver da Microsoft para arquivos texto (*.txt; *.csv)  odbcjt32.dll  10.0.18362.1 (WinBuild.160101.0800)  *.,*.asc,*.csv,*.tab,*.txt,*.csv
Driver do Microsoft Access (*.mdb)  odbcjt32.dll  10.0.18362.1 (WinBuild.160101.0800)  *.mdb
Driver do Microsoft dBase (*.dbf)  odbcjt32.dll  10.0.18362.1 (WinBuild.160101.0800)  *.dbf,*.ndx,*.mdx
Driver do Microsoft Excel(*.xls)  odbcjt32.dll  10.0.18362.1 (WinBuild.160101.0800)  *.xls
Driver do Microsoft Paradox (*.db )  odbcjt32.dll  10.0.18362.1 (WinBuild.160101.0800)  *.db
Microsoft Access Driver (*.mdb)  odbcjt32.dll  10.0.18362.1 (WinBuild.160101.0800)  *.mdb
Microsoft Access-Treiber (*.mdb)  odbcjt32.dll  10.0.18362.1 (WinBuild.160101.0800)  *.mdb
Microsoft dBase Driver (*.dbf)  odbcjt32.dll  10.0.18362.1 (WinBuild.160101.0800)  *.dbf,*.ndx,*.mdx
Microsoft dBase-Treiber (*.dbf)  odbcjt32.dll  10.0.18362.1 (WinBuild.160101.0800)  *.dbf,*.ndx,*.mdx
Microsoft Excel Driver (*.xls)  odbcjt32.dll  10.0.18362.1 (WinBuild.160101.0800)  *.xls
Microsoft Excel-Treiber (*.xls)  odbcjt32.dll  10.0.18362.1 (WinBuild.160101.0800)  *.xls
Microsoft ODBC for Oracle  msorcl32.dll  10.0.18362.1 (WinBuild.160101.0800)  
Microsoft Paradox Driver (*.db )  odbcjt32.dll  10.0.18362.1 (WinBuild.160101.0800)  *.db
Microsoft Paradox-Treiber (*.db )  odbcjt32.dll  10.0.18362.1 (WinBuild.160101.0800)  *.db
Microsoft Text Driver (*.txt; *.csv)  odbcjt32.dll  10.0.18362.1 (WinBuild.160101.0800)  *.,*.asc,*.csv,*.tab,*.txt,*.csv
Microsoft Text-Treiber (*.txt; *.csv)  odbcjt32.dll  10.0.18362.1 (WinBuild.160101.0800)  *.,*.asc,*.csv,*.tab,*.txt,*.csv
SQL Server  sqlsrv32.dll  10.0.18362.1 (WinBuild.160101.0800)  


ODBC Data Sources

 
Data Source Name  Data Source Description  Type  Driver File Name
dBASE Files  Microsoft Access dBASE Driver (*.dbf, *.ndx, *.mdx)  User  aceodbc.dll
Excel Files  Microsoft Excel Driver (*.xls, *.xlsx, *.xlsm, *.xlsb)  User  aceodbc.dll
MS Access Database  Microsoft Access Driver (*.mdb, *.accdb)  User  aceodbc.dll


Memory Read

 
CPU  CPU Clock  Motherboard  Chipset  Memory  CL-RCD-RP-RAS
111245 MB/s
20x Xeon E5-2660 v3 HT  2600 MHz  Supermicro X10DRi  C612  Octal DDR4-1866  13-13-13-31 CR1
85715 MB/s
32x Ryzen Threadripper 3970X HT  3800 MHz  Gigabyte TRX40 Aorus Xtreme  TRX40  Quad DDR4-3200  16-18-18-36 CR1
77068 MB/s
16x Xeon E5-2670 HT  2600 MHz  Supermicro X9DR6-F  C600  Octal DDR3-1333  9-9-9-24 CR1
68474 MB/s
32x Ryzen Threadripper 2990WX HT  3000 MHz  MSI MEG X399 Creation  X399  Quad DDR4-2933  16-18-18-38 CR1
68050 MB/s
32x Opteron 6274  2200 MHz  Supermicro H8DGI-F  SR5690  Octal DDR3-1600R  11-11-11-28 CR1
59309 MB/s
6x Core i7-7800X HT  3500 MHz  Gigabyte X299 UD4  X299  Quad DDR4-2667  15-17-17-35 CR2
54885 MB/s
16x Ryzen 9 3950X HT  3500 MHz  Gigabyte X570 Aorus Pro WiFi  X570  Dual DDR4-3600  16-16-16-36 CR1
52263 MB/s
6x Core i7-4930K HT  3400 MHz  Gigabyte GA-X79-UD3  X79  Quad DDR3-1866  9-10-9-27 CR2
47090 MB/s
6x Core i7-6850K HT  3600 MHz  Asus Strix X99 Gaming  X99  Quad DDR4-2400  16-16-16-39 CR2
45280 MB/s
6x Core i7-3960X Extreme HT  3300 MHz  Intel DX79SI  X79  Quad DDR3-1600  9-9-9-24 CR2
45200 MB/s
8x Ryzen 7 2700X HT  3700 MHz  Asus Crosshair VII Hero  X470  Dual DDR4-2933  16-20-21-49 CR1
44459 MB/s
6x Core i7-5820K HT  3300 MHz  Gigabyte GA-X99-UD4  X99  Quad DDR4-2133  15-15-15-36 CR2
42764 MB/s
4x Ryzen 5 2400G HT  3600 MHz  ASRock A320M Pro4  A320  Dual DDR4-2933  16-15-15-35 CR1
41312 MB/s
8x Ryzen 7 1800X HT  3600 MHz  Asus Crosshair VI Hero  X370  Dual DDR4-2667  16-17-17-35 CR1
39542 MB/s
6x Core i7-8700K HT  3700 MHz  Gigabyte Z370 Aorus Gaming 7  Z370 Int.  Dual DDR4-2667  16-18-18-38 CR2
39430 MB/s
4x Core i7-1065G7 HT  3300 MHz  LG 17Z90N-V.AA76C  IcePointLP Int.  Dual LPDDR4-3200  22-22-22-52 CR1
38265 MB/s
8x Xeon X5550 HT  2666 MHz  Supermicro X8DTN+  i5520  Hexa DDR3-1333  9-9-9-24 CR1
35611 MB/s
16x Atom C3958  2000 MHz  Supermicro A2SDi-H-TP4F  Denverton  Dual DDR4-2400  17-17-17-39
31589 MB/s
4x Core i7-7700K HT  4200 MHz  ASRock Z270 Extreme4  Z270 Ext.  Dual DDR4-2133  15-15-15-36 CR2
30690 MB/s
4x Core i7-6700K HT  4000 MHz  Gigabyte GA-Z170X-UD3  Z170 Int.  Dual DDR4-2133  14-14-14-35 CR2
27404 MB/s
8x FX-8350  4000 MHz  Asus M5A99X Evo R2.0  AMD990X  Dual DDR3-1866  9-10-9-27 CR2
27235 MB/s
8x FX-8150  3600 MHz  Asus M5A97  AMD970  Dual DDR3-1866  9-10-9-27 CR2
26279 MB/s
6x FX-6100  3300 MHz  Asus Sabertooth 990FX  AMD990FX  Dual DDR3-1866  9-10-9-27 CR2
24854 MB/s
4x Core i7-5775C HT  3300 MHz  Gigabyte GA-Z97MX-Gaming 5  Z97 Int.  Dual DDR3-1600  11-11-11-28 CR1
23639 MB/s
4x Core i7-3770K HT  3500 MHz  MSI Z77A-GD55  Z77 Int.  Dual DDR3-1600  9-9-9-24 CR2
23246 MB/s
4x Core i7-4770 HT  3400 MHz  Intel DZ87KLT-75K  Z87 Int.  Dual DDR3-1600  9-9-9-27 CR2
21557 MB/s
4x A10-5800K  3800 MHz  Asus F2A55-M  A55 Int.  Dual DDR3-1866  9-10-9-27 CR2
21290 MB/s
4x Core i7-965 Extreme HT  3200 MHz  Asus P6T Deluxe  X58  Triple DDR3-1333  9-9-9-24 CR1
21240 MB/s
4x A10-6800K  4100 MHz  Gigabyte GA-F2A85X-UP4  A85X Int.  Dual DDR3-2133  9-11-10-27 CR2
21238 MB/s
6x Core i7-990X Extreme HT  3466 MHz  Intel DX58SO2  X58  Triple DDR3-1333  9-9-9-24 CR1
21178 MB/s
8x Atom C2750  2400 MHz  Supermicro A1SAi-2750F  Avoton  Dual DDR3-1600  11-11-11-28 CR1
21007 MB/s
4x A10-7850K  3700 MHz  Gigabyte GA-F2A88XM-D3H  A88X Int.  Dual DDR3-2133  9-11-10-31 CR2
20056 MB/s
12x Opteron 2431  2400 MHz  Supermicro H8DI3+-F  SR5690  Unganged Quad DDR2-800R  6-6-6-18 CR1
19189 MB/s
4x Core i7-2600 HT  3400 MHz  Asus P8P67  P67  Dual DDR3-1333  9-9-9-24 CR1
18848 MB/s
8x Opteron 2378  2400 MHz  Tyan Thunder n3600R  nForcePro-3600  Unganged Quad DDR2-800R  6-6-6-18 CR1
17754 MB/s
4x Xeon X3430  2400 MHz  Supermicro X8SIL-F  i3420  Dual DDR3-1333  9-9-9-24 CR1
16602 MB/s
4x A8-3850  2900 MHz  Gigabyte GA-A75M-UD2H  A75 Int.  Dual DDR3-1333  9-9-9-24 CR1
16436 MB/s
4x A12-9800  3800 MHz  Gigabyte GA-AB350M-Gaming 3  B350 Int.  Dual DDR4-2400  14-16-16-31 CR1
15717 MB/s
4x Celeron J3455  1500 MHz  ASRock J3455B-ITX  ApolloLakeD Int.  Dual DDR3-1866  11-11-11-32 CR1
14716 MB/s
6x Phenom II X6 Black 1100T  3300 MHz  Gigabyte GA-890GPA-UD3H v2  AMD890GX Int.  Unganged Dual DDR3-1333  9-9-9-24 CR2
14070 MB/s
4x Celeron J4105  1500 MHz  ASRock J4105-ITX  GeminiLakeD Int.  Dual DDR4-2400  17-17-17-39
13509 MB/s
4x Celeron J1900  2000 MHz  Gigabyte GA-J1900N-D3V  BayTrailD Int.  Dual DDR3-1333  9-9-9-24 CR1
13158 MB/s
8x Opteron 2344 HE  1700 MHz  Supermicro H8DME-2  nForcePro-3600  Unganged Quad DDR2-667R  5-5-5-15 CR1
11433 MB/s
4x Opteron 2210 HE  1800 MHz  Tyan Thunder h2000M  BCM5785  Quad DDR2-600R  5-5-5-15 CR1
11214 MB/s
2x Core i5-650 HT  3200 MHz  Supermicro C7SIM-Q  Q57 Int.  Dual DDR3-1333  9-9-9-24 CR1
10581 MB/s
4x Celeron N3150  1600 MHz  ASRock N3150B-ITX  Braswell Int.  Dual DDR3-1600  11-11-11-28 CR2
10204 MB/s
4x Phenom II X4 Black 940  3000 MHz  Asus M3N78-EM  GeForce8300 Int.  Ganged Dual DDR2-800  5-5-5-18 CR2
9660 MB/s
2x Athlon64 X2 Black 6400+  3200 MHz  MSI K9N SLI Platinum  nForce570SLI  Dual DDR2-800  4-4-4-11 CR1
9021 MB/s
4x Core 2 Extreme QX9650  3000 MHz  Gigabyte GA-EP35C-DS3R  P35  Dual DDR3-1066  8-8-8-20 CR2
8734 MB/s
4x Athlon 5350  2050 MHz  ASRock AM1B-ITX  Yangtze Int.  DDR3-1600 SDRAM  11-11-11-28 CR2
8543 MB/s
4x Phenom X4 9500  2200 MHz  Asus M3A  AMD770  Ganged Dual DDR2-800  5-5-5-18 CR2
8160 MB/s
2x Pentium EE 955 HT  3466 MHz  Intel D955XBK  i955X  Dual DDR2-667  4-4-4-11
7992 MB/s
P4EE HT  3733 MHz  Intel SE7230NH1LX  iE7230  Dual DDR2-667  5-5-5-15
7620 MB/s
2x Core 2 Extreme X6800  2933 MHz  Abit AB9  P965  Dual DDR2-800  5-5-5-18 CR2
7540 MB/s
8x Xeon E5462  2800 MHz  Intel S5400SF  i5400  Quad DDR2-640FB  5-5-5-15
6560 MB/s
4x Core 2 Extreme QX6700  2666 MHz  Intel D975XBX2  i975X  Dual DDR2-667  5-5-5-15
6431 MB/s
Nano X2 L4350  1600 MHz  VIA EPIA-M900  VX900H Int.  DDR3-1066 SDRAM  7-7-7-20 CR2
6238 MB/s
2x Pentium D 820  2800 MHz  Abit Fatal1ty F-I90HD  RS600 Int.  Dual DDR2-800  5-5-5-18 CR2
6013 MB/s
Athlon64 3200+  2000 MHz  ASRock 939S56-M  SiS756  Dual DDR400  2.5-3-3-8 CR2
6000 MB/s
2x Atom D2500  1866 MHz  Intel D2500CC  NM10 Int.  DDR3-1066 SDRAM  7-7-7-20 CR2
5833 MB/s
2x E-350  1600 MHz  ASRock E350M1  A50M Int.  DDR3-1066 SDRAM  8-8-8-20 CR1
5392 MB/s
2x Atom D525 HT  1800 MHz  Gigabyte GA-D525TUD  NM10 Int.  DDR3-800 SDRAM  6-6-6-15 CR2
5334 MB/s
Celeron 420  1600 MHz  Intel DQ965GF  Q965 Int.  Dual DDR2-667  5-5-5-15
4591 MB/s
2x Xeon HT  3400 MHz  Intel SE7320SP2  iE7320  Dual DDR333R  2.5-3-3-7
3971 MB/s
Celeron D 326  2533 MHz  ASRock 775Twins-HDTV  RC410 Ext.  DDR2-533 SDRAM  4-4-4-11 CR2
3938 MB/s
Opteron 248  2200 MHz  MSI K8T Master1-FAR  K8T800  Dual DDR266R  2-3-3-6 CR1
3672 MB/s
8x Xeon L5320  1866 MHz  Intel S5000VCL  i5000V  Dual DDR2-533FB  4-4-4-12
3569 MB/s
Atom 230 HT  1600 MHz  Intel D945GCLF  i945GC Int.  DDR2-533 SDRAM  4-4-4-12
3364 MB/s
Nano L2200  1600 MHz  VIA VB8001  CN896 Int.  DDR2-667 SDRAM  5-5-5-15 CR2
3323 MB/s
4x Xeon 5140  2333 MHz  Intel S5000VSA  i5000V  Dual DDR2-667FB  5-5-5-15
2919 MB/s
Sempron 2600+  1600 MHz  ASRock K8NF4G-SATA2  GeForce6100 Int.  DDR400 SDRAM  2.5-3-3-8 CR2


Memory Write

 
CPU  CPU Clock  Motherboard  Chipset  Memory  CL-RCD-RP-RAS
93960 MB/s
20x Xeon E5-2660 v3 HT  2600 MHz  Supermicro X10DRi  C612  Octal DDR4-1866  13-13-13-31 CR1
87145 MB/s
32x Ryzen Threadripper 3970X HT  3800 MHz  Gigabyte TRX40 Aorus Xtreme  TRX40  Quad DDR4-3200  16-18-18-36 CR1
73605 MB/s
32x Ryzen Threadripper 2990WX HT  3000 MHz  MSI MEG X399 Creation  X399  Quad DDR4-2933  16-18-18-38 CR1
73328 MB/s
16x Xeon E5-2670 HT  2600 MHz  Supermicro X9DR6-F  C600  Octal DDR3-1333  9-9-9-24 CR1
65654 MB/s
6x Core i7-7800X HT  3500 MHz  Gigabyte X299 UD4  X299  Quad DDR4-2667  15-17-17-35 CR2
60036 MB/s
32x Opteron 6274  2200 MHz  Supermicro H8DGI-F  SR5690  Octal DDR3-1600R  11-11-11-28 CR1
57968 MB/s
6x Core i7-6850K HT  3600 MHz  Asus Strix X99 Gaming  X99  Quad DDR4-2400  16-16-16-39 CR2
53174 MB/s
6x Core i7-4930K HT  3400 MHz  Gigabyte GA-X79-UD3  X79  Quad DDR3-1866  9-10-9-27 CR2
53051 MB/s
16x Ryzen 9 3950X HT  3500 MHz  Gigabyte X570 Aorus Pro WiFi  X570  Dual DDR4-3600  16-16-16-36 CR1
46700 MB/s
6x Core i7-5820K HT  3300 MHz  Gigabyte GA-X99-UD4  X99  Quad DDR4-2133  15-15-15-36 CR2
45695 MB/s
6x Core i7-3960X Extreme HT  3300 MHz  Intel DX79SI  X79  Quad DDR3-1600  9-9-9-24 CR2
44521 MB/s
4x Ryzen 5 2400G HT  3600 MHz  ASRock A320M Pro4  A320  Dual DDR4-2933  16-15-15-35 CR1
43931 MB/s
8x Ryzen 7 2700X HT  3700 MHz  Asus Crosshair VII Hero  X470  Dual DDR4-2933  16-20-21-49 CR1
40821 MB/s
8x Ryzen 7 1800X HT  3600 MHz  Asus Crosshair VI Hero  X370  Dual DDR4-2667  16-17-17-35 CR1
40440 MB/s
4x Core i7-1065G7 HT  3400 MHz  LG 17Z90N-V.AA76C  IcePointLP Int.  Dual LPDDR4-3200  22-22-22-52 CR1
40019 MB/s
6x Core i7-8700K HT  3700 MHz  Gigabyte Z370 Aorus Gaming 7  Z370 Int.  Dual DDR4-2667  16-18-18-38 CR2
33260 MB/s
4x Core i7-6700K HT  4000 MHz  Gigabyte GA-Z170X-UD3  Z170 Int.  Dual DDR4-2133  14-14-14-35 CR2
33252 MB/s
16x Atom C3958  2000 MHz  Supermicro A2SDi-H-TP4F  Denverton  Dual DDR4-2400  17-17-17-39
32976 MB/s
4x Core i7-7700K HT  4200 MHz  ASRock Z270 Extreme4  Z270 Ext.  Dual DDR4-2133  15-15-15-36 CR2
27387 MB/s
8x Xeon X5550 HT  2666 MHz  Supermicro X8DTN+  i5520  Hexa DDR3-1333  9-9-9-24 CR1
23902 MB/s
4x Core i7-3770K HT  3500 MHz  MSI Z77A-GD55  Z77 Int.  Dual DDR3-1600  9-9-9-24 CR2
23664 MB/s
4x Core i7-4770 HT  3400 MHz  Intel DZ87KLT-75K  Z87 Int.  Dual DDR3-1600  9-9-9-27 CR2
23651 MB/s
4x Core i7-5775C HT  3300 MHz  Gigabyte GA-Z97MX-Gaming 5  Z97 Int.  Dual DDR3-1600  11-11-11-28 CR1
19577 MB/s
4x Core i7-2600 HT  3400 MHz  Asus P8P67  P67  Dual DDR3-1333  9-9-9-24 CR1
17670 MB/s
8x FX-8350  4000 MHz  Asus M5A99X Evo R2.0  AMD990X  Dual DDR3-1866  9-10-9-27 CR2
17365 MB/s
8x FX-8150  3600 MHz  Asus M5A97  AMD970  Dual DDR3-1866  9-10-9-27 CR2
17092 MB/s
4x Core i7-965 Extreme HT  3200 MHz  Asus P6T Deluxe  X58  Triple DDR3-1333  9-9-9-24 CR1
16992 MB/s
6x FX-6100  3300 MHz  Asus Sabertooth 990FX  AMD990FX  Dual DDR3-1866  9-10-9-27 CR2
16893 MB/s
4x Celeron J3455  1500 MHz  ASRock J3455B-ITX  ApolloLakeD Int.  Dual DDR3-1866  11-11-11-32 CR1
16676 MB/s
6x Core i7-990X Extreme HT  3466 MHz  Intel DX58SO2  X58  Triple DDR3-1333  9-9-9-24 CR1
14837 MB/s
4x A8-3850  2900 MHz  Gigabyte GA-A75M-UD2H  A75 Int.  Dual DDR3-1333  9-9-9-24 CR1
14246 MB/s
12x Opteron 2431  2400 MHz  Supermicro H8DI3+-F  SR5690  Unganged Quad DDR2-800R  6-6-6-18 CR1
13065 MB/s
4x Xeon X3430  2400 MHz  Supermicro X8SIL-F  i3420  Dual DDR3-1333  9-9-9-24 CR1
12775 MB/s
8x Opteron 2378  2400 MHz  Tyan Thunder n3600R  nForcePro-3600  Unganged Quad DDR2-800R  6-6-6-18 CR1
12475 MB/s
8x Atom C2750  2400 MHz  Supermicro A1SAi-2750F  Avoton  Dual DDR3-1600  11-11-11-28 CR1
11929 MB/s
4x A10-7850K  3700 MHz  Gigabyte GA-F2A88XM-D3H  A88X Int.  Dual DDR3-2133  9-11-10-31 CR2
10653 MB/s
4x Celeron J4105  1500 MHz  ASRock J4105-ITX  GeminiLakeD Int.  Dual DDR4-2400  17-17-17-39
10227 MB/s
4x Celeron N3150  1600 MHz  ASRock N3150B-ITX  Braswell Int.  Dual DDR3-1600  11-11-11-28 CR2
10159 MB/s
4x Celeron J1900  2000 MHz  Gigabyte GA-J1900N-D3V  BayTrailD Int.  Dual DDR3-1333  9-9-9-24 CR1
9953 MB/s
4x A10-6800K  4100 MHz  Gigabyte GA-F2A85X-UP4  A85X Int.  Dual DDR3-2133  9-11-10-27 CR2
9949 MB/s
2x Core i5-650 HT  3200 MHz  Supermicro C7SIM-Q  Q57 Int.  Dual DDR3-1333  9-9-9-24 CR1
9814 MB/s
4x A10-5800K  3800 MHz  Asus F2A55-M  A55 Int.  Dual DDR3-1866  9-10-9-27 CR2
9323 MB/s
4x A12-9800  3800 MHz  Gigabyte GA-AB350M-Gaming 3  B350 Int.  Dual DDR4-2400  14-16-16-31 CR1
8864 MB/s
2x Athlon64 X2 Black 6400+  3200 MHz  MSI K9N SLI Platinum  nForce570SLI  Dual DDR2-800  4-4-4-11 CR1
8646 MB/s
8x Opteron 2344 HE  1700 MHz  Supermicro H8DME-2  nForcePro-3600  Unganged Quad DDR2-667R  5-5-5-15 CR1
7921 MB/s
Nano X2 L4350  1600 MHz  VIA EPIA-M900  VX900H Int.  DDR3-1066 SDRAM  7-7-7-20 CR2
7706 MB/s
4x Opteron 2210 HE  1800 MHz  Tyan Thunder h2000M  BCM5785  Quad DDR2-600R  5-5-5-15 CR1
7114 MB/s
4x Phenom II X4 Black 940  3000 MHz  Asus M3N78-EM  GeForce8300 Int.  Ganged Dual DDR2-800  5-5-5-18 CR2
7091 MB/s
6x Phenom II X6 Black 1100T  3300 MHz  Gigabyte GA-890GPA-UD3H v2  AMD890GX Int.  Unganged Dual DDR3-1333  9-9-9-24 CR2
7083 MB/s
4x Core 2 Extreme QX9650  3000 MHz  Gigabyte GA-EP35C-DS3R  P35  Dual DDR3-1066  8-8-8-20 CR2
6734 MB/s
8x Xeon E5462  2800 MHz  Intel S5400SF  i5400  Quad DDR2-640FB  5-5-5-15
5654 MB/s
2x Pentium EE 955 HT  3466 MHz  Intel D955XBK  i955X  Dual DDR2-667  4-4-4-11
5638 MB/s
P4EE HT  3733 MHz  Intel SE7230NH1LX  iE7230  Dual DDR2-667  5-5-5-15
5518 MB/s
4x Phenom X4 9500  2200 MHz  Asus M3A  AMD770  Ganged Dual DDR2-800  5-5-5-18 CR2
4868 MB/s
2x Core 2 Extreme X6800  2933 MHz  Abit AB9  P965  Dual DDR2-800  5-5-5-18 CR2
4829 MB/s
4x Core 2 Extreme QX6700  2666 MHz  Intel D975XBX2  i975X  Dual DDR2-667  5-5-5-15
4696 MB/s
4x Athlon 5350  2050 MHz  ASRock AM1B-ITX  Yangtze Int.  DDR3-1600 SDRAM  11-11-11-28 CR2
4592 MB/s
2x Atom D2500  1866 MHz  Intel D2500CC  NM10 Int.  DDR3-1066 SDRAM  7-7-7-20 CR2
4260 MB/s
2x Pentium D 820  2800 MHz  Abit Fatal1ty F-I90HD  RS600 Int.  Dual DDR2-800  5-5-5-18 CR2
4219 MB/s
2x Xeon HT  3400 MHz  Intel SE7320SP2  iE7320  Dual DDR333R  2.5-3-3-7
4094 MB/s
Athlon64 3200+  2000 MHz  ASRock 939S56-M  SiS756  Dual DDR400  2.5-3-3-8 CR2
4074 MB/s
2x E-350  1600 MHz  ASRock E350M1  A50M Int.  DDR3-1066 SDRAM  8-8-8-20 CR1
3803 MB/s
Opteron 248  2200 MHz  MSI K8T Master1-FAR  K8T800  Dual DDR266R  2-3-3-6 CR1
3652 MB/s
2x Atom D525 HT  1800 MHz  Gigabyte GA-D525TUD  NM10 Int.  DDR3-800 SDRAM  6-6-6-15 CR2
3561 MB/s
Celeron 420  1600 MHz  Intel DQ965GF  Q965 Int.  Dual DDR2-667  5-5-5-15
3154 MB/s
Nano L2200  1600 MHz  VIA VB8001  CN896 Int.  DDR2-667 SDRAM  5-5-5-15 CR2
2831 MB/s
Atom 230 HT  1600 MHz  Intel D945GCLF  i945GC Int.  DDR2-533 SDRAM  4-4-4-12
2797 MB/s
Celeron D 326  2533 MHz  ASRock 775Twins-HDTV  RC410 Ext.  DDR2-533 SDRAM  4-4-4-11 CR2
2472 MB/s
4x Xeon 5140  2333 MHz  Intel S5000VSA  i5000V  Dual DDR2-667FB  5-5-5-15
2335 MB/s
Sempron 2600+  1600 MHz  ASRock K8NF4G-SATA2  GeForce6100 Int.  DDR400 SDRAM  2.5-3-3-8 CR2
2327 MB/s
8x Xeon L5320  1866 MHz  Intel S5000VCL  i5000V  Dual DDR2-533FB  4-4-4-12


Memory Copy

 
CPU  CPU Clock  Motherboard  Chipset  Memory  CL-RCD-RP-RAS
103987 MB/s
20x Xeon E5-2660 v3 HT  2600 MHz  Supermicro X10DRi  C612  Octal DDR4-1866  13-13-13-31 CR1
95761 MB/s
32x Ryzen Threadripper 3970X HT  3800 MHz  Gigabyte TRX40 Aorus Xtreme  TRX40  Quad DDR4-3200  16-18-18-36 CR1
67171 MB/s
32x Ryzen Threadripper 2990WX HT  3000 MHz  MSI MEG X399 Creation  X399  Quad DDR4-2933  16-18-18-38 CR1
67051 MB/s
32x Opteron 6274  2200 MHz  Supermicro H8DGI-F  SR5690  Octal DDR3-1600R  11-11-11-28 CR1
66492 MB/s
16x Xeon E5-2670 HT  2600 MHz  Supermicro X9DR6-F  C600  Octal DDR3-1333  9-9-9-24 CR1
55043 MB/s
16x Ryzen 9 3950X HT  3500 MHz  Gigabyte X570 Aorus Pro WiFi  X570  Dual DDR4-3600  16-16-16-36 CR1
54396 MB/s
6x Core i7-7800X HT  3500 MHz  Gigabyte X299 UD4  X299  Quad DDR4-2667  15-17-17-35 CR2
51658 MB/s
6x Core i7-6850K HT  3600 MHz  Asus Strix X99 Gaming  X99  Quad DDR4-2400  16-16-16-39 CR2
50972 MB/s
6x Core i7-4930K HT  3400 MHz  Gigabyte GA-X79-UD3  X79  Quad DDR3-1866  9-10-9-27 CR2
47965 MB/s
6x Core i7-5820K HT  3300 MHz  Gigabyte GA-X99-UD4  X99  Quad DDR4-2133  15-15-15-36 CR2
42705 MB/s
6x Core i7-3960X Extreme HT  3300 MHz  Intel DX79SI  X79  Quad DDR3-1600  9-9-9-24 CR2
40993 MB/s
8x Ryzen 7 2700X HT  3700 MHz  Asus Crosshair VII Hero  X470  Dual DDR4-2933  16-20-21-49 CR1
40461 MB/s
8x Ryzen 7 1800X HT  3600 MHz  Asus Crosshair VI Hero  X370  Dual DDR4-2667  16-17-17-35 CR1
38295 MB/s
4x Ryzen 5 2400G HT  3600 MHz  ASRock A320M Pro4  A320  Dual DDR4-2933  16-15-15-35 CR1
37901 MB/s
6x Core i7-8700K HT  3700 MHz  Gigabyte Z370 Aorus Gaming 7  Z370 Int.  Dual DDR4-2667  16-18-18-38 CR2
34718 MB/s
8x Xeon X5550 HT  2666 MHz  Supermicro X8DTN+  i5520  Hexa DDR3-1333  9-9-9-24 CR1
33699 MB/s
4x Core i7-1065G7 HT  3300 MHz  LG 17Z90N-V.AA76C  IcePointLP Int.  Dual LPDDR4-3200  22-22-22-52 CR1
31262 MB/s
4x Core i7-6700K HT  4000 MHz  Gigabyte GA-Z170X-UD3  Z170 Int.  Dual DDR4-2133  14-14-14-35 CR2
30678 MB/s
4x Core i7-7700K HT  4200 MHz  ASRock Z270 Extreme4  Z270 Ext.  Dual DDR4-2133  15-15-15-36 CR2
26791 MB/s
16x Atom C3958  2000 MHz  Supermicro A2SDi-H-TP4F  Denverton  Dual DDR4-2400  17-17-17-39
24893 MB/s
8x FX-8150  3600 MHz  Asus M5A97  AMD970  Dual DDR3-1866  9-10-9-27 CR2
24569 MB/s
6x Core i7-990X Extreme HT  3466 MHz  Intel DX58SO2  X58  Triple DDR3-1333  9-9-9-24 CR1
24464 MB/s
4x Core i7-5775C HT  3300 MHz  Gigabyte GA-Z97MX-Gaming 5  Z97 Int.  Dual DDR3-1600  11-11-11-28 CR1
24331 MB/s
8x FX-8350  4000 MHz  Asus M5A99X Evo R2.0  AMD990X  Dual DDR3-1866  9-10-9-27 CR2
23704 MB/s
6x FX-6100  3300 MHz  Asus Sabertooth 990FX  AMD990FX  Dual DDR3-1866  9-10-9-27 CR2
22688 MB/s
4x Core i7-3770K HT  3500 MHz  MSI Z77A-GD55  Z77 Int.  Dual DDR3-1600  9-9-9-24 CR2
22048 MB/s
4x Core i7-4770 HT  3400 MHz  Intel DZ87KLT-75K  Z87 Int.  Dual DDR3-1600  9-9-9-27 CR2
21684 MB/s
4x Core i7-965 Extreme HT  3200 MHz  Asus P6T Deluxe  X58  Triple DDR3-1333  9-9-9-24 CR1
19590 MB/s
4x A10-7850K  3700 MHz  Gigabyte GA-F2A88XM-D3H  A88X Int.  Dual DDR3-2133  9-11-10-31 CR2
17604 MB/s
4x A10-6800K  4100 MHz  Gigabyte GA-F2A85X-UP4  A85X Int.  Dual DDR3-2133  9-11-10-27 CR2
17551 MB/s
4x Core i7-2600 HT  3400 MHz  Asus P8P67  P67  Dual DDR3-1333  9-9-9-24 CR1
17365 MB/s
8x Atom C2750  2400 MHz  Supermicro A1SAi-2750F  Avoton  Dual DDR3-1600  11-11-11-28 CR1
17343 MB/s
8x Opteron 2378  2400 MHz  Tyan Thunder n3600R  nForcePro-3600  Unganged Quad DDR2-800R  6-6-6-18 CR1
17256 MB/s
12x Opteron 2431  2400 MHz  Supermicro H8DI3+-F  SR5690  Unganged Quad DDR2-800R  6-6-6-18 CR1
16691 MB/s
4x A10-5800K  3800 MHz  Asus F2A55-M  A55 Int.  Dual DDR3-1866  9-10-9-27 CR2
15854 MB/s
4x Celeron J3455  1500 MHz  ASRock J3455B-ITX  ApolloLakeD Int.  Dual DDR3-1866  11-11-11-32 CR1
15829 MB/s
4x Celeron J4105  1500 MHz  ASRock J4105-ITX  GeminiLakeD Int.  Dual DDR4-2400  17-17-17-39
15257 MB/s
4x Xeon X3430  2400 MHz  Supermicro X8SIL-F  i3420  Dual DDR3-1333  9-9-9-24 CR1
14927 MB/s
4x A12-9800  3800 MHz  Gigabyte GA-AB350M-Gaming 3  B350 Int.  Dual DDR4-2400  14-16-16-31 CR1
14078 MB/s
4x A8-3850  2900 MHz  Gigabyte GA-A75M-UD2H  A75 Int.  Dual DDR3-1333  9-9-9-24 CR1
14015 MB/s
2x Core i5-650 HT  3200 MHz  Supermicro C7SIM-Q  Q57 Int.  Dual DDR3-1333  9-9-9-24 CR1
12460 MB/s
6x Phenom II X6 Black 1100T  3300 MHz  Gigabyte GA-890GPA-UD3H v2  AMD890GX Int.  Unganged Dual DDR3-1333  9-9-9-24 CR2
12113 MB/s
8x Opteron 2344 HE  1700 MHz  Supermicro H8DME-2  nForcePro-3600  Unganged Quad DDR2-667R  5-5-5-15 CR1
11321 MB/s
4x Celeron J1900  2000 MHz  Gigabyte GA-J1900N-D3V  BayTrailD Int.  Dual DDR3-1333  9-9-9-24 CR1
11246 MB/s
4x Celeron N3150  1600 MHz  ASRock N3150B-ITX  Braswell Int.  Dual DDR3-1600  11-11-11-28 CR2
9653 MB/s
4x Phenom II X4 Black 940  3000 MHz  Asus M3N78-EM  GeForce8300 Int.  Ganged Dual DDR2-800  5-5-5-18 CR2
9482 MB/s
4x Opteron 2210 HE  1800 MHz  Tyan Thunder h2000M  BCM5785  Quad DDR2-600R  5-5-5-15 CR1
8936 MB/s
2x Athlon64 X2 Black 6400+  3200 MHz  MSI K9N SLI Platinum  nForce570SLI  Dual DDR2-800  4-4-4-11 CR1
8217 MB/s
8x Xeon E5462  2800 MHz  Intel S5400SF  i5400  Quad DDR2-640FB  5-5-5-15
7656 MB/s
4x Phenom X4 9500  2200 MHz  Asus M3A  AMD770  Ganged Dual DDR2-800  5-5-5-18 CR2
7609 MB/s
4x Athlon 5350  2050 MHz  ASRock AM1B-ITX  Yangtze Int.  DDR3-1600 SDRAM  11-11-11-28 CR2
7389 MB/s
4x Core 2 Extreme QX9650  3000 MHz  Gigabyte GA-EP35C-DS3R  P35  Dual DDR3-1066  8-8-8-20 CR2
6278 MB/s
2x Pentium EE 955 HT  3466 MHz  Intel D955XBK  i955X  Dual DDR2-667  4-4-4-11
6127 MB/s
P4EE HT  3733 MHz  Intel SE7230NH1LX  iE7230  Dual DDR2-667  5-5-5-15
5911 MB/s
Nano X2 L4350  1600 MHz  VIA EPIA-M900  VX900H Int.  DDR3-1066 SDRAM  7-7-7-20 CR2
5510 MB/s
2x Core 2 Extreme X6800  2933 MHz  Abit AB9  P965  Dual DDR2-800  5-5-5-18 CR2
5287 MB/s
4x Core 2 Extreme QX6700  2666 MHz  Intel D975XBX2  i975X  Dual DDR2-667  5-5-5-15
4893 MB/s
2x Pentium D 820  2800 MHz  Abit Fatal1ty F-I90HD  RS600 Int.  Dual DDR2-800  5-5-5-18 CR2
4777 MB/s
2x E-350  1600 MHz  ASRock E350M1  A50M Int.  DDR3-1066 SDRAM  8-8-8-20 CR1
4690 MB/s
2x Atom D2500  1866 MHz  Intel D2500CC  NM10 Int.  DDR3-1066 SDRAM  7-7-7-20 CR2
4551 MB/s
Athlon64 3200+  2000 MHz  ASRock 939S56-M  SiS756  Dual DDR400  2.5-3-3-8 CR2
4237 MB/s
2x Atom D525 HT  1800 MHz  Gigabyte GA-D525TUD  NM10 Int.  DDR3-800 SDRAM  6-6-6-15 CR2
4194 MB/s
Celeron 420  1600 MHz  Intel DQ965GF  Q965 Int.  Dual DDR2-667  5-5-5-15
4174 MB/s
2x Xeon HT  3400 MHz  Intel SE7320SP2  iE7320  Dual DDR333R  2.5-3-3-7
3681 MB/s
Opteron 248  2200 MHz  MSI K8T Master1-FAR  K8T800  Dual DDR266R  2-3-3-6 CR1
3269 MB/s
Nano L2200  1600 MHz  VIA VB8001  CN896 Int.  DDR2-667 SDRAM  5-5-5-15 CR2
3145 MB/s
Celeron D 326  2533 MHz  ASRock 775Twins-HDTV  RC410 Ext.  DDR2-533 SDRAM  4-4-4-11 CR2
3051 MB/s
Atom 230 HT  1600 MHz  Intel D945GCLF  i945GC Int.  DDR2-533 SDRAM  4-4-4-12
3000 MB/s
4x Xeon 5140  2333 MHz  Intel S5000VSA  i5000V  Dual DDR2-667FB  5-5-5-15
2987 MB/s
8x Xeon L5320  1866 MHz  Intel S5000VCL  i5000V  Dual DDR2-533FB  4-4-4-12
2576 MB/s
Sempron 2600+  1600 MHz  ASRock K8NF4G-SATA2  GeForce6100 Int.  DDR400 SDRAM  2.5-3-3-8 CR2


Memory Latency

 
CPU  CPU Clock  Motherboard  Chipset  Memory  CL-RCD-RP-RAS
55.2 ns
Athlon64 X2 Black 6400+  3200 MHz  MSI K9N SLI Platinum  nForce570SLI  Dual DDR2-800  4-4-4-11 CR1
57.1 ns
Core i7-3770K  3500 MHz  MSI Z77A-GD55  Z77 Int.  Dual DDR3-1600  9-9-9-24 CR2
58.3 ns
Core i7-4770  3400 MHz  Intel DZ87KLT-75K  Z87 Int.  Dual DDR3-1600  9-9-9-27 CR2
59.5 ns
Core i7-8700K  3700 MHz  Gigabyte Z370 Aorus Gaming 7  Z370 Int.  Dual DDR4-2667  16-18-18-38 CR2
59.9 ns
A10-6800K  4100 MHz  Gigabyte GA-F2A85X-UP4  A85X Int.  Dual DDR3-2133  9-11-10-27 CR2
60.1 ns
Core i7-7700K  4200 MHz  ASRock Z270 Extreme4  Z270 Ext.  Dual DDR4-2133  15-15-15-36 CR2
60.5 ns
Core i7-6700K  4000 MHz  Gigabyte GA-Z170X-UD3  Z170 Int.  Dual DDR4-2133  14-14-14-35 CR2
60.9 ns
FX-8150  3600 MHz  Asus M5A97  AMD970  Dual DDR3-1866  9-10-9-27 CR2
61.0 ns
Core i7-4930K  3400 MHz  Gigabyte GA-X79-UD3  X79  Quad DDR3-1866  9-10-9-27 CR2
61.2 ns
FX-8350  4000 MHz  Asus M5A99X Evo R2.0  AMD990X  Dual DDR3-1866  9-10-9-27 CR2
62.5 ns
FX-6100  3300 MHz  Asus Sabertooth 990FX  AMD990FX  Dual DDR3-1866  9-10-9-27 CR2
62.9 ns
A10-5800K  3800 MHz  Asus F2A55-M  A55 Int.  Dual DDR3-1866  9-10-9-27 CR2
63.1 ns
Core i7-965 Extreme  3200 MHz  Asus P6T Deluxe  X58  Triple DDR3-1333  9-9-9-24 CR1
66.4 ns
Core i7-2600  3400 MHz  Asus P8P67  P67  Dual DDR3-1333  9-9-9-24 CR1
66.8 ns
Core i7-990X Extreme  3466 MHz  Intel DX58SO2  X58  Triple DDR3-1333  9-9-9-24 CR1
67.3 ns
Core i7-5775C  3300 MHz  Gigabyte GA-Z97MX-Gaming 5  Z97 Int.  Dual DDR3-1600  11-11-11-28 CR1
67.5 ns
Core i7-3960X Extreme  3300 MHz  Intel DX79SI  X79  Quad DDR3-1600  9-9-9-24 CR2
67.9 ns
Ryzen 9 3950X  3500 MHz  Gigabyte X570 Aorus Pro WiFi  X570  Dual DDR4-3600  16-16-16-36 CR1
69.6 ns
Xeon X3430  2400 MHz  Supermicro X8SIL-F  i3420  Dual DDR3-1333  9-9-9-24 CR1
70.4 ns
Xeon X5550  2666 MHz  Supermicro X8DTN+  i5520  Hexa DDR3-1333  9-9-9-24 CR1
70.5 ns
Core i7-6850K  3600 MHz  Asus Strix X99 Gaming  X99  Quad DDR4-2400  16-16-16-39 CR2
71.2 ns
Ryzen Threadripper 2990WX  3000 MHz  MSI MEG X399 Creation  X399  Quad DDR4-2933  16-18-18-38 CR1
72.0 ns
Core i7-5820K  3300 MHz  Gigabyte GA-X99-UD4  X99  Quad DDR4-2133  15-15-15-36 CR2
72.5 ns
Athlon64 3200+  2000 MHz  ASRock 939S56-M  SiS756  Dual DDR400  2.5-3-3-8 CR2
73.1 ns
Ryzen 7 2700X  3700 MHz  Asus Crosshair VII Hero  X470  Dual DDR4-2933  16-20-21-49 CR1
73.8 ns
Ryzen 5 2400G  3600 MHz  ASRock A320M Pro4  A320  Dual DDR4-2933  16-15-15-35 CR1
74.0 ns
Phenom II X6 Black 1100T  3300 MHz  Gigabyte GA-890GPA-UD3H v2  AMD890GX Int.  Unganged Dual DDR3-1333  9-9-9-24 CR2
74.2 ns
Phenom II X4 Black 940  3000 MHz  Asus M3N78-EM  GeForce8300 Int.  Ganged Dual DDR2-800  5-5-5-18 CR2
76.0 ns
A8-3850  2900 MHz  Gigabyte GA-A75M-UD2H  A75 Int.  Dual DDR3-1333  9-9-9-24 CR1
77.0 ns
Sempron 2600+  1600 MHz  ASRock K8NF4G-SATA2  GeForce6100 Int.  DDR400 SDRAM  2.5-3-3-8 CR2
77.1 ns
Core i7-7800X  3500 MHz  Gigabyte X299 UD4  X299  Quad DDR4-2667  15-17-17-35 CR2
78.5 ns
Pentium EE 955  3466 MHz  Intel D955XBK  i955X  Dual DDR2-667  4-4-4-11
79.5 ns
Xeon E5-2670  2600 MHz  Supermicro X9DR6-F  C600  Octal DDR3-1333  9-9-9-24 CR1
79.8 ns
Core 2 Extreme X6800  2933 MHz  Abit AB9  P965  Dual DDR2-800  5-5-5-18 CR2
81.4 ns
Core 2 Extreme QX6700  2666 MHz  Intel D975XBX2  i975X  Dual DDR2-667  5-5-5-15
82.4 ns
Atom C3958  2000 MHz  Supermicro A2SDi-H-TP4F  Denverton  Dual DDR4-2400  17-17-17-39
82.4 ns
A10-7850K  3700 MHz  Gigabyte GA-F2A88XM-D3H  A88X Int.  Dual DDR3-2133  9-11-10-31 CR2
82.5 ns
Opteron 6274  2200 MHz  Supermicro H8DGI-F  SR5690  Octal DDR3-1600R  11-11-11-28 CR1
82.6 ns
P4EE  3733 MHz  Intel SE7230NH1LX  iE7230  Dual DDR2-667  5-5-5-15
83.5 ns
Ryzen 7 1800X  3600 MHz  Asus Crosshair VI Hero  X370  Dual DDR4-2667  16-17-17-35 CR1
84.6 ns
Xeon E5-2660 v3  2600 MHz  Supermicro X10DRi  C612  Octal DDR4-1866  13-13-13-31 CR1
85.8 ns
Celeron J4105  1500 MHz  ASRock J4105-ITX  GeminiLakeD Int.  Dual DDR4-2400  17-17-17-39
86.7 ns
Ryzen Threadripper 3970X  3800 MHz  Gigabyte TRX40 Aorus Xtreme  TRX40  Quad DDR4-3200  16-18-18-36 CR1
88.1 ns
Opteron 248  2200 MHz  MSI K8T Master1-FAR  K8T800  Dual DDR266R  2-3-3-6 CR1
90.0 ns
Atom D2500  1866 MHz  Intel D2500CC  NM10 Int.  DDR3-1066 SDRAM  7-7-7-20 CR2
91.3 ns
Core 2 Extreme QX9650  3000 MHz  Gigabyte GA-EP35C-DS3R  P35  Dual DDR3-1066  8-8-8-20 CR2
93.1 ns
Celeron J1900  2000 MHz  Gigabyte GA-J1900N-D3V  BayTrailD Int.  Dual DDR3-1333  9-9-9-24 CR1
94.7 ns
Atom C2750  2400 MHz  Supermicro A1SAi-2750F  Avoton  Dual DDR3-1600  11-11-11-28 CR1
95.3 ns
Atom D525  1800 MHz  Gigabyte GA-D525TUD  NM10 Int.  DDR3-800 SDRAM  6-6-6-15 CR2
95.6 ns
Core i7-1065G7  3400 MHz  LG 17Z90N-V.AA76C  IcePointLP Int.  Dual LPDDR4-3200  22-22-22-52 CR1
96.9 ns
A12-9800  3800 MHz  Gigabyte GA-AB350M-Gaming 3  B350 Int.  Dual DDR4-2400  14-16-16-31 CR1
99.5 ns
Opteron 2378  2400 MHz  Tyan Thunder n3600R  nForcePro-3600  Unganged Quad DDR2-800R  6-6-6-18 CR1
100.4 ns
Core i5-650  3200 MHz  Supermicro C7SIM-Q  Q57 Int.  Dual DDR3-1333  9-9-9-24 CR1
101.2 ns
Celeron 420  1600 MHz  Intel DQ965GF  Q965 Int.  Dual DDR2-667  5-5-5-15
101.6 ns
Celeron J3455  1500 MHz  ASRock J3455B-ITX  ApolloLakeD Int.  Dual DDR3-1866  11-11-11-32 CR1
104.1 ns
Pentium D 820  2800 MHz  Abit Fatal1ty F-I90HD  RS600 Int.  Dual DDR2-800  5-5-5-18 CR2
106.5 ns
Atom 230  1600 MHz  Intel D945GCLF  i945GC Int.  DDR2-533 SDRAM  4-4-4-12
108.3 ns
E-350  1600 MHz  ASRock E350M1  A50M Int.  DDR3-1066 SDRAM  8-8-8-20 CR1
112.5 ns
Opteron 2210 HE  1800 MHz  Tyan Thunder h2000M  BCM5785  Quad DDR2-600R  5-5-5-15 CR1
113.4 ns
Xeon 5140  2333 MHz  Intel S5000VSA  i5000V  Dual DDR2-667FB  5-5-5-15
114.5 ns
Xeon E5462  2800 MHz  Intel S5400SF  i5400  Quad DDR2-640FB  5-5-5-15
119.9 ns
Nano X2 L4350  1600 MHz  VIA EPIA-M900  VX900H Int.  DDR3-1066 SDRAM  7-7-7-20 CR2
123.5 ns
Opteron 2431  2400 MHz  Supermicro H8DI3+-F  SR5690  Unganged Quad DDR2-800R  6-6-6-18 CR1
123.9 ns
Celeron N3150  1600 MHz  ASRock N3150B-ITX  Braswell Int.  Dual DDR3-1600  11-11-11-28 CR2
124.7 ns
Xeon  3400 MHz  Intel SE7320SP2  iE7320  Dual DDR333R  2.5-3-3-7
127.7 ns
Xeon L5320  1866 MHz  Intel S5000VCL  i5000V  Dual DDR2-533FB  4-4-4-12
128.2 ns
Athlon 5350  2050 MHz  ASRock AM1B-ITX  Yangtze Int.  DDR3-1600 SDRAM  11-11-11-28 CR2
129.0 ns
Phenom X4 9500  2200 MHz  Asus M3A  AMD770  Ganged Dual DDR2-800  5-5-5-18 CR2
138.7 ns
Nano L2200  1600 MHz  VIA VB8001  CN896 Int.  DDR2-667 SDRAM  5-5-5-15 CR2
153.6 ns
Celeron D 326  2533 MHz  ASRock 775Twins-HDTV  RC410 Ext.  DDR2-533 SDRAM  4-4-4-11 CR2
159.8 ns
Opteron 2344 HE  1700 MHz  Supermicro H8DME-2  nForcePro-3600  Unganged Quad DDR2-667R  5-5-5-15 CR1


CPU Queen

 
CPU  CPU Clock  Motherboard  Chipset  Memory  CL-RCD-RP-RAS
276199
32x Ryzen Threadripper 3970X HT  3800 MHz  Gigabyte TRX40 Aorus Xtreme  TRX40  Quad DDR4-3200  16-18-18-36 CR1
216826
32x Ryzen Threadripper 2990WX HT  3000 MHz  MSI MEG X399 Creation  X399  Quad DDR4-2933  16-18-18-38 CR1
149985
16x Ryzen 9 3950X HT  3500 MHz  Gigabyte X570 Aorus Pro WiFi  X570  Dual DDR4-3600  16-16-16-36 CR1
146744
20x Xeon E5-2660 v3 HT  2600 MHz  Supermicro X10DRi  C612  Octal DDR4-1866  13-13-13-31 CR1
99682
16x Xeon E5-2670 HT  2600 MHz  Supermicro X9DR6-F  C600  Octal DDR3-1333  9-9-9-24 CR1
93183
8x Ryzen 7 2700X HT  3700 MHz  Asus Crosshair VII Hero  X470  Dual DDR4-2933  16-20-21-49 CR1
85483
8x Ryzen 7 1800X HT  3600 MHz  Asus Crosshair VI Hero  X370  Dual DDR4-2667  16-17-17-35 CR1
72443
6x Core i7-8700K HT  3700 MHz  Gigabyte Z370 Aorus Gaming 7  Z370 Int.  Dual DDR4-2667  16-18-18-38 CR2
67341
6x Core i7-7800X HT  3500 MHz  Gigabyte X299 UD4  X299  Quad DDR4-2667  15-17-17-35 CR2
64839
6x Core i7-6850K HT  3600 MHz  Asus Strix X99 Gaming  X99  Quad DDR4-2400  16-16-16-39 CR2
62693
6x Core i7-4930K HT  3400 MHz  Gigabyte GA-X79-UD3  X79  Quad DDR3-1866  9-10-9-27 CR2
62382
6x Core i7-3960X Extreme HT  3300 MHz  Intel DX79SI  X79  Quad DDR3-1600  9-9-9-24 CR2
59950
6x Core i7-5820K HT  3300 MHz  Gigabyte GA-X99-UD4  X99  Quad DDR4-2133  15-15-15-36 CR2
56864
6x Core i7-990X Extreme HT  3466 MHz  Intel DX58SO2  X58  Triple DDR3-1333  9-9-9-24 CR1
55275
4x Core i7-7700K HT  4200 MHz  ASRock Z270 Extreme4  Z270 Ext.  Dual DDR4-2133  15-15-15-36 CR2
54386
32x Opteron 6274  2200 MHz  Supermicro H8DGI-F  SR5690  Octal DDR3-1600R  11-11-11-28 CR1
53521
8x Xeon X5550 HT  2666 MHz  Supermicro X8DTN+  i5520  Hexa DDR3-1333  9-9-9-24 CR1
48880
4x Core i7-6700K HT  4000 MHz  Gigabyte GA-Z170X-UD3  Z170 Int.  Dual DDR4-2133  14-14-14-35 CR2
47712
16x Atom C3958  2000 MHz  Supermicro A2SDi-H-TP4F  Denverton  Dual DDR4-2400  17-17-17-39
47204
4x Core i7-4770 HT  3400 MHz  Intel DZ87KLT-75K  Z87 Int.  Dual DDR3-1600  9-9-9-27 CR2
46792
4x Core i7-3770K HT  3500 MHz  MSI Z77A-GD55  Z77 Int.  Dual DDR3-1600  9-9-9-24 CR2
45875
4x Core i7-5775C HT  3300 MHz  Gigabyte GA-Z97MX-Gaming 5  Z97 Int.  Dual DDR3-1600  11-11-11-28 CR1
43962
4x Core i7-2600 HT  3400 MHz  Asus P8P67  P67  Dual DDR3-1333  9-9-9-24 CR1
42538
12x Opteron 2431  2400 MHz  Supermicro H8DI3+-F  SR5690  Unganged Quad DDR2-800R  6-6-6-18 CR1
42294
4x Core i7-1065G7 HT  2700 MHz  LG 17Z90N-V.AA76C  IcePointLP Int.  Dual LPDDR4-3200  22-22-22-52 CR1
42193
4x Ryzen 5 2400G HT  3600 MHz  ASRock A320M Pro4  A320  Dual DDR4-2933  16-15-15-35 CR1
41733
8x Xeon E5462  2800 MHz  Intel S5400SF  i5400  Quad DDR2-640FB  5-5-5-15
37779
4x Core i7-965 Extreme HT  3200 MHz  Asus P6T Deluxe  X58  Triple DDR3-1333  9-9-9-24 CR1
36105
8x FX-8350  4000 MHz  Asus M5A99X Evo R2.0  AMD990X  Dual DDR3-1866  9-10-9-27 CR2
34010
8x Atom C2750  2400 MHz  Supermicro A1SAi-2750F  Avoton  Dual DDR3-1600  11-11-11-28 CR1
32362
6x Phenom II X6 Black 1100T  3300 MHz  Gigabyte GA-890GPA-UD3H v2  AMD890GX Int.  Unganged Dual DDR3-1333  9-9-9-24 CR2
31729
8x FX-8150  3600 MHz  Asus M5A97  AMD970  Dual DDR3-1866  9-10-9-27 CR2
30788
8x Opteron 2378  2400 MHz  Tyan Thunder n3600R  nForcePro-3600  Unganged Quad DDR2-800R  6-6-6-18 CR1
26992
8x Xeon L5320  1866 MHz  Intel S5000VCL  i5000V  Dual DDR2-533FB  4-4-4-12
25503
4x Core 2 Extreme QX9650  3000 MHz  Gigabyte GA-EP35C-DS3R  P35  Dual DDR3-1066  8-8-8-20 CR2
22146
4x A8-3850  2900 MHz  Gigabyte GA-A75M-UD2H  A75 Int.  Dual DDR3-1333  9-9-9-24 CR1
22010
4x Core 2 Extreme QX6700  2666 MHz  Intel D975XBX2  i975X  Dual DDR2-667  5-5-5-15
21993
8x Opteron 2344 HE  1700 MHz  Supermicro H8DME-2  nForcePro-3600  Unganged Quad DDR2-667R  5-5-5-15 CR1
21796
4x Phenom II X4 Black 940  3000 MHz  Asus M3N78-EM  GeForce8300 Int.  Ganged Dual DDR2-800  5-5-5-18 CR2
21669
4x A10-6800K  4100 MHz  Gigabyte GA-F2A85X-UP4  A85X Int.  Dual DDR3-2133  9-11-10-27 CR2
21454
6x FX-6100  3300 MHz  Asus Sabertooth 990FX  AMD990FX  Dual DDR3-1866  9-10-9-27 CR2
21431
2x Core i5-650 HT  3200 MHz  Supermicro C7SIM-Q  Q57 Int.  Dual DDR3-1333  9-9-9-24 CR1
21226
4x Xeon X3430  2400 MHz  Supermicro X8SIL-F  i3420  Dual DDR3-1333  9-9-9-24 CR1
20130
4x A10-5800K  3800 MHz  Asus F2A55-M  A55 Int.  Dual DDR3-1866  9-10-9-27 CR2
19490
4x A10-7850K  3700 MHz  Gigabyte GA-F2A88XM-D3H  A88X Int.  Dual DDR3-2133  9-11-10-31 CR2
19484
4x A12-9800  3800 MHz  Gigabyte GA-AB350M-Gaming 3  B350 Int.  Dual DDR4-2400  14-16-16-31 CR1
19232
4x Xeon 5140  2333 MHz  Intel S5000VSA  i5000V  Dual DDR2-667FB  5-5-5-15
18844
4x Celeron J4105  1500 MHz  ASRock J4105-ITX  GeminiLakeD Int.  Dual DDR4-2400  17-17-17-39
18011
4x Celeron J1900  2000 MHz  Gigabyte GA-J1900N-D3V  BayTrailD Int.  Dual DDR3-1333  9-9-9-24 CR1
16868
4x Celeron J3455  1500 MHz  ASRock J3455B-ITX  ApolloLakeD Int.  Dual DDR3-1866  11-11-11-32 CR1
16100
4x Phenom X4 9500  2200 MHz  Asus M3A  AMD770  Ganged Dual DDR2-800  5-5-5-18 CR2
15584
4x Celeron N3150  1600 MHz  ASRock N3150B-ITX  Braswell Int.  Dual DDR3-1600  11-11-11-28 CR2
14761
4x Athlon 5350  2050 MHz  ASRock AM1B-ITX  Yangtze Int.  DDR3-1600 SDRAM  11-11-11-28 CR2
12584
4x Opteron 2210 HE  1800 MHz  Tyan Thunder h2000M  BCM5785  Quad DDR2-600R  5-5-5-15 CR1
12147
2x Core 2 Extreme X6800  2933 MHz  Abit AB9  P965  Dual DDR2-800  5-5-5-18 CR2
11234
2x Athlon64 X2 Black 6400+  3200 MHz  MSI K9N SLI Platinum  nForce570SLI  Dual DDR2-800  4-4-4-11 CR1
8547
2x Atom D525 HT  1800 MHz  Gigabyte GA-D525TUD  NM10 Int.  DDR3-800 SDRAM  6-6-6-15 CR2
7464
2x Pentium EE 955 HT  3466 MHz  Intel D955XBK  i955X  Dual DDR2-667  4-4-4-11
7287
2x Xeon HT  3400 MHz  Intel SE7320SP2  iE7320  Dual DDR333R  2.5-3-3-7
5916
2x Atom D2500  1866 MHz  Intel D2500CC  NM10 Int.  DDR3-1066 SDRAM  7-7-7-20 CR2
5444
Nano X2 L4350  1600 MHz  VIA EPIA-M900  VX900H Int.  DDR3-1066 SDRAM  7-7-7-20 CR2
5165
2x E-350  1600 MHz  ASRock E350M1  A50M Int.  DDR3-1066 SDRAM  8-8-8-20 CR1
4078
2x Pentium D 820  2800 MHz  Abit Fatal1ty F-I90HD  RS600 Int.  Dual DDR2-800  5-5-5-18 CR2
4025
P4EE HT  3733 MHz  Intel SE7230NH1LX  iE7230  Dual DDR2-667  5-5-5-15
3855
Opteron 248  2200 MHz  MSI K8T Master1-FAR  K8T800  Dual DDR266R  2-3-3-6 CR1
3791
Atom 230 HT  1600 MHz  Intel D945GCLF  i945GC Int.  DDR2-533 SDRAM  4-4-4-12
3514
Athlon64 3200+  2000 MHz  ASRock 939S56-M  SiS756  Dual DDR400  2.5-3-3-8 CR2
3301
Celeron 420  1600 MHz  Intel DQ965GF  Q965 Int.  Dual DDR2-667  5-5-5-15
2815
Sempron 2600+  1600 MHz  ASRock K8NF4G-SATA2  GeForce6100 Int.  DDR400 SDRAM  2.5-3-3-8 CR2
2586
Nano L2200  1600 MHz  VIA VB8001  CN896 Int.  DDR2-667 SDRAM  5-5-5-15 CR2
1839
Celeron D 326  2533 MHz  ASRock 775Twins-HDTV  RC410 Ext.  DDR2-533 SDRAM  4-4-4-11 CR2


CPU PhotoWorxx

 
CPU  CPU Clock  Motherboard  Chipset  Memory  CL-RCD-RP-RAS
61896 MPixel/s
20x Xeon E5-2660 v3 HT  2600 MHz  Supermicro X10DRi  C612  Octal DDR4-1866  13-13-13-31 CR1
56098 MPixel/s
32x Ryzen Threadripper 3970X HT  3800 MHz  Gigabyte TRX40 Aorus Xtreme  TRX40  Quad DDR4-3200  16-18-18-36 CR1
38828 MPixel/s
16x Xeon E5-2670 HT  2600 MHz  Supermicro X9DR6-F  C600  Octal DDR3-1333  9-9-9-24 CR1
38788 MPixel/s
6x Core i7-7800X HT  3500 MHz  Gigabyte X299 UD4  X299  Quad DDR4-2667  15-17-17-35 CR2
38361 MPixel/s
32x Ryzen Threadripper 2990WX HT  3000 MHz  MSI MEG X399 Creation  X399  Quad DDR4-2933  16-18-18-38 CR1
35548 MPixel/s
32x Opteron 6274  2200 MHz  Supermicro H8DGI-F  SR5690  Octal DDR3-1600R  11-11-11-28 CR1
30449 MPixel/s
6x Core i7-6850K HT  3600 MHz  Asus Strix X99 Gaming  X99  Quad DDR4-2400  16-16-16-39 CR2
26642 MPixel/s
6x Core i7-5820K HT  3300 MHz  Gigabyte GA-X99-UD4  X99  Quad DDR4-2133  15-15-15-36 CR2
24221 MPixel/s
8x Ryzen 7 1800X HT  3600 MHz  Asus Crosshair VI Hero  X370  Dual DDR4-2667  16-17-17-35 CR1
23753 MPixel/s
8x Ryzen 7 2700X HT  3700 MHz  Asus Crosshair VII Hero  X470  Dual DDR4-2933  16-20-21-49 CR1
23510 MPixel/s
6x Core i7-4930K HT  3400 MHz  Gigabyte GA-X79-UD3  X79  Quad DDR3-1866  9-10-9-27 CR2
23412 MPixel/s
6x Core i7-8700K HT  3700 MHz  Gigabyte Z370 Aorus Gaming 7  Z370 Int.  Dual DDR4-2667  16-18-18-38 CR2
22800 MPixel/s
6x Core i7-3960X Extreme HT  3300 MHz  Intel DX79SI  X79  Quad DDR3-1600  9-9-9-24 CR2
21461 MPixel/s
4x Core i7-1065G7 HT  3300 MHz  LG 17Z90N-V.AA76C  IcePointLP Int.  Dual LPDDR4-3200  22-22-22-52 CR1
20497 MPixel/s
8x Xeon X5550 HT  2666 MHz  Supermicro X8DTN+  i5520  Hexa DDR3-1333  9-9-9-24 CR1
20422 MPixel/s
4x Core i7-6700K HT  4000 MHz  Gigabyte GA-Z170X-UD3  Z170 Int.  Dual DDR4-2133  14-14-14-35 CR2
19743 MPixel/s
4x Ryzen 5 2400G HT  3600 MHz  ASRock A320M Pro4  A320  Dual DDR4-2933  16-15-15-35 CR1
19369 MPixel/s
4x Core i7-7700K HT  4200 MHz  ASRock Z270 Extreme4  Z270 Ext.  Dual DDR4-2133  15-15-15-36 CR2
19250 MPixel/s
16x Ryzen 9 3950X HT  3500 MHz  Gigabyte X570 Aorus Pro WiFi  X570  Dual DDR4-3600  16-16-16-36 CR1
17044 MPixel/s
16x Atom C3958  2000 MHz  Supermicro A2SDi-H-TP4F  Denverton  Dual DDR4-2400  17-17-17-39
15634 MPixel/s
4x Core i7-5775C HT  3300 MHz  Gigabyte GA-Z97MX-Gaming 5  Z97 Int.  Dual DDR3-1600  11-11-11-28 CR1
14159 MPixel/s
4x Core i7-3770K HT  3500 MHz  MSI Z77A-GD55  Z77 Int.  Dual DDR3-1600  9-9-9-24 CR2
14009 MPixel/s
4x Core i7-4770 HT  3400 MHz  Intel DZ87KLT-75K  Z87 Int.  Dual DDR3-1600  9-9-9-27 CR2
12969 MPixel/s
6x Core i7-990X Extreme HT  3466 MHz  Intel DX58SO2  X58  Triple DDR3-1333  9-9-9-24 CR1
12359 MPixel/s
8x FX-8350  4000 MHz  Asus M5A99X Evo R2.0  AMD990X  Dual DDR3-1866  9-10-9-27 CR2
12350 MPixel/s
8x FX-8150  3600 MHz  Asus M5A97  AMD970  Dual DDR3-1866  9-10-9-27 CR2
11904 MPixel/s
6x FX-6100  3300 MHz  Asus Sabertooth 990FX  AMD990FX  Dual DDR3-1866  9-10-9-27 CR2
11889 MPixel/s
4x Core i7-965 Extreme HT  3200 MHz  Asus P6T Deluxe  X58  Triple DDR3-1333  9-9-9-24 CR1
11589 MPixel/s
12x Opteron 2431  2400 MHz  Supermicro H8DI3+-F  SR5690  Unganged Quad DDR2-800R  6-6-6-18 CR1
11089 MPixel/s
4x Core i7-2600 HT  3400 MHz  Asus P8P67  P67  Dual DDR3-1333  9-9-9-24 CR1
10676 MPixel/s
8x Opteron 2378  2400 MHz  Tyan Thunder n3600R  nForcePro-3600  Unganged Quad DDR2-800R  6-6-6-18 CR1
9568 MPixel/s
4x A10-6800K  4100 MHz  Gigabyte GA-F2A85X-UP4  A85X Int.  Dual DDR3-2133  9-11-10-27 CR2
9091 MPixel/s
4x A10-5800K  3800 MHz  Asus F2A55-M  A55 Int.  Dual DDR3-1866  9-10-9-27 CR2
8902 MPixel/s
4x A10-7850K  3700 MHz  Gigabyte GA-F2A88XM-D3H  A88X Int.  Dual DDR3-2133  9-11-10-31 CR2
8800 MPixel/s
8x Atom C2750  2400 MHz  Supermicro A1SAi-2750F  Avoton  Dual DDR3-1600  11-11-11-28 CR1
8593 MPixel/s
4x A12-9800  3800 MHz  Gigabyte GA-AB350M-Gaming 3  B350 Int.  Dual DDR4-2400  14-16-16-31 CR1
8546 MPixel/s
4x Xeon X3430  2400 MHz  Supermicro X8SIL-F  i3420  Dual DDR3-1333  9-9-9-24 CR1
8073 MPixel/s
4x A8-3850  2900 MHz  Gigabyte GA-A75M-UD2H  A75 Int.  Dual DDR3-1333  9-9-9-24 CR1
7926 MPixel/s
4x Celeron J4105  1500 MHz  ASRock J4105-ITX  GeminiLakeD Int.  Dual DDR4-2400  17-17-17-39
7765 MPixel/s
4x Celeron J3455  1500 MHz  ASRock J3455B-ITX  ApolloLakeD Int.  Dual DDR3-1866  11-11-11-32 CR1
6976 MPixel/s
6x Phenom II X6 Black 1100T  3300 MHz  Gigabyte GA-890GPA-UD3H v2  AMD890GX Int.  Unganged Dual DDR3-1333  9-9-9-24 CR2
6876 MPixel/s
2x Core i5-650 HT  3200 MHz  Supermicro C7SIM-Q  Q57 Int.  Dual DDR3-1333  9-9-9-24 CR1
6111 MPixel/s
8x Opteron 2344 HE  1700 MHz  Supermicro H8DME-2  nForcePro-3600  Unganged Quad DDR2-667R  5-5-5-15 CR1
5627 MPixel/s
4x Phenom II X4 Black 940  3000 MHz  Asus M3N78-EM  GeForce8300 Int.  Ganged Dual DDR2-800  5-5-5-18 CR2
5276 MPixel/s
4x Celeron J1900  2000 MHz  Gigabyte GA-J1900N-D3V  BayTrailD Int.  Dual DDR3-1333  9-9-9-24 CR1
4792 MPixel/s
4x Celeron N3150  1600 MHz  ASRock N3150B-ITX  Braswell Int.  Dual DDR3-1600  11-11-11-28 CR2
4726 MPixel/s
8x Xeon E5462  2800 MHz  Intel S5400SF  i5400  Quad DDR2-640FB  5-5-5-15
4243 MPixel/s
4x Athlon 5350  2050 MHz  ASRock AM1B-ITX  Yangtze Int.  DDR3-1600 SDRAM  11-11-11-28 CR2
4214 MPixel/s
4x Core 2 Extreme QX9650  3000 MHz  Gigabyte GA-EP35C-DS3R  P35  Dual DDR3-1066  8-8-8-20 CR2
3847 MPixel/s
4x Phenom X4 9500  2200 MHz  Asus M3A  AMD770  Ganged Dual DDR2-800  5-5-5-18 CR2
3701 MPixel/s
4x Opteron 2210 HE  1800 MHz  Tyan Thunder h2000M  BCM5785  Quad DDR2-600R  5-5-5-15 CR1
3459 MPixel/s
2x Core 2 Extreme X6800  2933 MHz  Abit AB9  P965  Dual DDR2-800  5-5-5-18 CR2
3004 MPixel/s
2x Athlon64 X2 Black 6400+  3200 MHz  MSI K9N SLI Platinum  nForce570SLI  Dual DDR2-800  4-4-4-11 CR1
2927 MPixel/s
2x Pentium EE 955 HT  3466 MHz  Intel D955XBK  i955X  Dual DDR2-667  4-4-4-11
2790 MPixel/s
4x Core 2 Extreme QX6700  2666 MHz  Intel D975XBX2  i975X  Dual DDR2-667  5-5-5-15
2536 MPixel/s
Nano X2 L4350  1600 MHz  VIA EPIA-M900  VX900H Int.  DDR3-1066 SDRAM  7-7-7-20 CR2
2146 MPixel/s
P4EE HT  3733 MHz  Intel SE7230NH1LX  iE7230  Dual DDR2-667  5-5-5-15
1998 MPixel/s
2x Atom D525 HT  1800 MHz  Gigabyte GA-D525TUD  NM10 Int.  DDR3-800 SDRAM  6-6-6-15 CR2
1901 MPixel/s
8x Xeon L5320  1866 MHz  Intel S5000VCL  i5000V  Dual DDR2-533FB  4-4-4-12
1895 MPixel/s
2x E-350  1600 MHz  ASRock E350M1  A50M Int.  DDR3-1066 SDRAM  8-8-8-20 CR1
1869 MPixel/s
2x Pentium D 820  2800 MHz  Abit Fatal1ty F-I90HD  RS600 Int.  Dual DDR2-800  5-5-5-18 CR2
1864 MPixel/s
4x Xeon 5140  2333 MHz  Intel S5000VSA  i5000V  Dual DDR2-667FB  5-5-5-15
1852 MPixel/s
Celeron 420  1600 MHz  Intel DQ965GF  Q965 Int.  Dual DDR2-667  5-5-5-15
1788 MPixel/s
2x Atom D2500  1866 MHz  Intel D2500CC  NM10 Int.  DDR3-1066 SDRAM  7-7-7-20 CR2
1676 MPixel/s
2x Xeon HT  3400 MHz  Intel SE7320SP2  iE7320  Dual DDR333R  2.5-3-3-7
1253 MPixel/s
Nano L2200  1600 MHz  VIA VB8001  CN896 Int.  DDR2-667 SDRAM  5-5-5-15 CR2
1220 MPixel/s
Athlon64 3200+  2000 MHz  ASRock 939S56-M  SiS756  Dual DDR400  2.5-3-3-8 CR2
1102 MPixel/s
Atom 230 HT  1600 MHz  Intel D945GCLF  i945GC Int.  DDR2-533 SDRAM  4-4-4-12
1096 MPixel/s
Opteron 248  2200 MHz  MSI K8T Master1-FAR  K8T800  Dual DDR266R  2-3-3-6 CR1
878 MPixel/s
Celeron D 326  2533 MHz  ASRock 775Twins-HDTV  RC410 Ext.  DDR2-533 SDRAM  4-4-4-11 CR2
831 MPixel/s
Sempron 2600+  1600 MHz  ASRock K8NF4G-SATA2  GeForce6100 Int.  DDR400 SDRAM  2.5-3-3-8 CR2


CPU ZLib

 
CPU  CPU Clock  Motherboard  Chipset  Memory  CL-RCD-RP-RAS
3233.9 MB/s
32x Ryzen Threadripper 3970X HT  3800 MHz  Gigabyte TRX40 Aorus Xtreme  TRX40  Quad DDR4-3200  16-18-18-36 CR1
2475.9 MB/s
32x Ryzen Threadripper 2990WX HT  3000 MHz  MSI MEG X399 Creation  X399  Quad DDR4-2933  16-18-18-38 CR1
1642.9 MB/s
16x Ryzen 9 3950X HT  3500 MHz  Gigabyte X570 Aorus Pro WiFi  X570  Dual DDR4-3600  16-16-16-36 CR1
1216.8 MB/s
20x Xeon E5-2660 v3 HT  2600 MHz  Supermicro X10DRi  C612  Octal DDR4-1866  13-13-13-31 CR1
977.6 MB/s
16x Xeon E5-2670 HT  2600 MHz  Supermicro X9DR6-F  C600  Octal DDR3-1333  9-9-9-24 CR1
751.8 MB/s
8x Ryzen 7 2700X HT  3700 MHz  Asus Crosshair VII Hero  X470  Dual DDR4-2933  16-20-21-49 CR1
685.5 MB/s
8x Ryzen 7 1800X HT  3600 MHz  Asus Crosshair VI Hero  X370  Dual DDR4-2667  16-17-17-35 CR1
672.5 MB/s
32x Opteron 6274  2200 MHz  Supermicro H8DGI-F  SR5690  Octal DDR3-1600R  11-11-11-28 CR1
575.1 MB/s
6x Core i7-8700K HT  3700 MHz  Gigabyte Z370 Aorus Gaming 7  Z370 Int.  Dual DDR4-2667  16-18-18-38 CR2
544.1 MB/s
6x Core i7-7800X HT  3500 MHz  Gigabyte X299 UD4  X299  Quad DDR4-2667  15-17-17-35 CR2
493.8 MB/s
6x Core i7-6850K HT  3600 MHz  Asus Strix X99 Gaming  X99  Quad DDR4-2400  16-16-16-39 CR2
453.8 MB/s
6x Core i7-4930K HT  3400 MHz  Gigabyte GA-X79-UD3  X79  Quad DDR3-1866  9-10-9-27 CR2
437.7 MB/s
6x Core i7-3960X Extreme HT  3300 MHz  Intel DX79SI  X79  Quad DDR3-1600  9-9-9-24 CR2
432.5 MB/s
6x Core i7-5820K HT  3300 MHz  Gigabyte GA-X99-UD4  X99  Quad DDR4-2133  15-15-15-36 CR2
415.0 MB/s
16x Atom C3958  2000 MHz  Supermicro A2SDi-H-TP4F  Denverton  Dual DDR4-2400  17-17-17-39
407.1 MB/s
4x Core i7-7700K HT  4200 MHz  ASRock Z270 Extreme4  Z270 Ext.  Dual DDR4-2133  15-15-15-36 CR2
365.9 MB/s
12x Opteron 2431  2400 MHz  Supermicro H8DI3+-F  SR5690  Unganged Quad DDR2-800R  6-6-6-18 CR1
359.9 MB/s
4x Core i7-6700K HT  4000 MHz  Gigabyte GA-Z170X-UD3  Z170 Int.  Dual DDR4-2133  14-14-14-35 CR2
357.7 MB/s
8x Xeon X5550 HT  2666 MHz  Supermicro X8DTN+  i5520  Hexa DDR3-1333  9-9-9-24 CR1
356.9 MB/s
6x Core i7-990X Extreme HT  3466 MHz  Intel DX58SO2  X58  Triple DDR3-1333  9-9-9-24 CR1
347.3 MB/s
4x Ryzen 5 2400G HT  3600 MHz  ASRock A320M Pro4  A320  Dual DDR4-2933  16-15-15-35 CR1
345.2 MB/s
8x FX-8350  4000 MHz  Asus M5A99X Evo R2.0  AMD990X  Dual DDR3-1866  9-10-9-27 CR2
326.0 MB/s
4x Core i7-5775C HT  3300 MHz  Gigabyte GA-Z97MX-Gaming 5  Z97 Int.  Dual DDR3-1600  11-11-11-28 CR1
317.0 MB/s
4x Core i7-4770 HT  3400 MHz  Intel DZ87KLT-75K  Z87 Int.  Dual DDR3-1600  9-9-9-27 CR2
313.7 MB/s
4x Core i7-3770K HT  3500 MHz  MSI Z77A-GD55  Z77 Int.  Dual DDR3-1600  9-9-9-24 CR2
286.5 MB/s
4x Core i7-2600 HT  3400 MHz  Asus P8P67  P67  Dual DDR3-1333  9-9-9-24 CR1
281.2 MB/s
8x Xeon E5462  2800 MHz  Intel S5400SF  i5400  Quad DDR2-640FB  5-5-5-15
275.1 MB/s
8x FX-8150  3600 MHz  Asus M5A97  AMD970  Dual DDR3-1866  9-10-9-27 CR2
265.4 MB/s
4x Core i7-1065G7 HT  3200 MHz  LG 17Z90N-V.AA76C  IcePointLP Int.  Dual LPDDR4-3200  22-22-22-52 CR1
256.3 MB/s
6x Phenom II X6 Black 1100T  3300 MHz  Gigabyte GA-890GPA-UD3H v2  AMD890GX Int.  Unganged Dual DDR3-1333  9-9-9-24 CR2
243.7 MB/s
8x Opteron 2378  2400 MHz  Tyan Thunder n3600R  nForcePro-3600  Unganged Quad DDR2-800R  6-6-6-18 CR1
224.6 MB/s
4x Core i7-965 Extreme HT  3200 MHz  Asus P6T Deluxe  X58  Triple DDR3-1333  9-9-9-24 CR1
209.5 MB/s
8x Atom C2750  2400 MHz  Supermicro A1SAi-2750F  Avoton  Dual DDR3-1600  11-11-11-28 CR1
189.0 MB/s
4x A12-9800  3800 MHz  Gigabyte GA-AB350M-Gaming 3  B350 Int.  Dual DDR4-2400  14-16-16-31 CR1
188.7 MB/s
8x Xeon L5320  1866 MHz  Intel S5000VCL  i5000V  Dual DDR2-533FB  4-4-4-12
186.0 MB/s
6x FX-6100  3300 MHz  Asus Sabertooth 990FX  AMD990FX  Dual DDR3-1866  9-10-9-27 CR2
183.3 MB/s
4x A10-6800K  4100 MHz  Gigabyte GA-F2A85X-UP4  A85X Int.  Dual DDR3-2133  9-11-10-27 CR2
174.9 MB/s
4x A10-7850K  3700 MHz  Gigabyte GA-F2A88XM-D3H  A88X Int.  Dual DDR3-2133  9-11-10-31 CR2
173.8 MB/s
8x Opteron 2344 HE  1700 MHz  Supermicro H8DME-2  nForcePro-3600  Unganged Quad DDR2-667R  5-5-5-15 CR1
169.8 MB/s
4x A10-5800K  3800 MHz  Asus F2A55-M  A55 Int.  Dual DDR3-1866  9-10-9-27 CR2
153.9 MB/s
4x Phenom II X4 Black 940  3000 MHz  Asus M3N78-EM  GeForce8300 Int.  Ganged Dual DDR2-800  5-5-5-18 CR2
151.9 MB/s
4x Core 2 Extreme QX9650  3000 MHz  Gigabyte GA-EP35C-DS3R  P35  Dual DDR3-1066  8-8-8-20 CR2
151.4 MB/s
4x A8-3850  2900 MHz  Gigabyte GA-A75M-UD2H  A75 Int.  Dual DDR3-1333  9-9-9-24 CR1
136.0 MB/s
4x Celeron J4105  1500 MHz  ASRock J4105-ITX  GeminiLakeD Int.  Dual DDR4-2400  17-17-17-39
135.1 MB/s
4x Core 2 Extreme QX6700  2666 MHz  Intel D975XBX2  i975X  Dual DDR2-667  5-5-5-15
116.8 MB/s
4x Xeon 5140  2333 MHz  Intel S5000VSA  i5000V  Dual DDR2-667FB  5-5-5-15
112.0 MB/s
4x Phenom X4 9500  2200 MHz  Asus M3A  AMD770  Ganged Dual DDR2-800  5-5-5-18 CR2
107.9 MB/s
4x Xeon X3430  2400 MHz  Supermicro X8SIL-F  i3420  Dual DDR3-1333  9-9-9-24 CR1
105.3 MB/s
2x Core i5-650 HT  3200 MHz  Supermicro C7SIM-Q  Q57 Int.  Dual DDR3-1333  9-9-9-24 CR1
99.1 MB/s
4x Celeron J3455  1500 MHz  ASRock J3455B-ITX  ApolloLakeD Int.  Dual DDR3-1866  11-11-11-32 CR1
97.2 MB/s
4x Celeron J1900  2000 MHz  Gigabyte GA-J1900N-D3V  BayTrailD Int.  Dual DDR3-1333  9-9-9-24 CR1
95.3 MB/s
4x Athlon 5350  2050 MHz  ASRock AM1B-ITX  Yangtze Int.  DDR3-1600 SDRAM  11-11-11-28 CR2
84.0 MB/s
4x Celeron N3150  1600 MHz  ASRock N3150B-ITX  Braswell Int.  Dual DDR3-1600  11-11-11-28 CR2
82.8 MB/s
4x Opteron 2210 HE  1800 MHz  Tyan Thunder h2000M  BCM5785  Quad DDR2-600R  5-5-5-15 CR1
73.7 MB/s
2x Core 2 Extreme X6800  2933 MHz  Abit AB9  P965  Dual DDR2-800  5-5-5-18 CR2
73.2 MB/s
2x Athlon64 X2 Black 6400+  3200 MHz  MSI K9N SLI Platinum  nForce570SLI  Dual DDR2-800  4-4-4-11 CR1
60.0 MB/s
2x Pentium EE 955 HT  3466 MHz  Intel D955XBK  i955X  Dual DDR2-667  4-4-4-11
58.4 MB/s
2x Xeon HT  3400 MHz  Intel SE7320SP2  iE7320  Dual DDR333R  2.5-3-3-7
41.7 MB/s
2x Atom D525 HT  1800 MHz  Gigabyte GA-D525TUD  NM10 Int.  DDR3-800 SDRAM  6-6-6-15 CR2
41.5 MB/s
2x Pentium D 820  2800 MHz  Abit Fatal1ty F-I90HD  RS600 Int.  Dual DDR2-800  5-5-5-18 CR2
33.3 MB/s
Nano X2 L4350  1600 MHz  VIA EPIA-M900  VX900H Int.  DDR3-1066 SDRAM  7-7-7-20 CR2
32.8 MB/s
2x E-350  1600 MHz  ASRock E350M1  A50M Int.  DDR3-1066 SDRAM  8-8-8-20 CR1
32.2 MB/s
P4EE HT  3733 MHz  Intel SE7230NH1LX  iE7230  Dual DDR2-667  5-5-5-15
31.7 MB/s
2x Atom D2500  1866 MHz  Intel D2500CC  NM10 Int.  DDR3-1066 SDRAM  7-7-7-20 CR2
24.0 MB/s
Opteron 248  2200 MHz  MSI K8T Master1-FAR  K8T800  Dual DDR266R  2-3-3-6 CR1
22.6 MB/s
Athlon64 3200+  2000 MHz  ASRock 939S56-M  SiS756  Dual DDR400  2.5-3-3-8 CR2
19.6 MB/s
Celeron 420  1600 MHz  Intel DQ965GF  Q965 Int.  Dual DDR2-667  5-5-5-15
18.6 MB/s
Atom 230 HT  1600 MHz  Intel D945GCLF  i945GC Int.  DDR2-533 SDRAM  4-4-4-12
17.4 MB/s
Celeron D 326  2533 MHz  ASRock 775Twins-HDTV  RC410 Ext.  DDR2-533 SDRAM  4-4-4-11 CR2
16.1 MB/s
Sempron 2600+  1600 MHz  ASRock K8NF4G-SATA2  GeForce6100 Int.  DDR400 SDRAM  2.5-3-3-8 CR2
15.3 MB/s
Nano L2200  1600 MHz  VIA VB8001  CN896 Int.  DDR2-667 SDRAM  5-5-5-15 CR2


CPU AES

 
CPU  CPU Clock  Motherboard  Chipset  Memory  CL-RCD-RP-RAS
285585 MB/s
32x Ryzen Threadripper 3970X HT  3800 MHz  Gigabyte TRX40 Aorus Xtreme  TRX40  Quad DDR4-3200  16-18-18-36 CR1
224070 MB/s
32x Ryzen Threadripper 2990WX HT  3000 MHz  MSI MEG X399 Creation  X399  Quad DDR4-2933  16-18-18-38 CR1
147445 MB/s
16x Ryzen 9 3950X HT  3500 MHz  Gigabyte X570 Aorus Pro WiFi  X570  Dual DDR4-3600  16-16-16-36 CR1
70290 MB/s
8x Ryzen 7 2700X HT  3700 MHz  Asus Crosshair VII Hero  X470  Dual DDR4-2933  16-20-21-49 CR1
65838 MB/s
20x Xeon E5-2660 v3 HT  2600 MHz  Supermicro X10DRi  C612  Octal DDR4-1866  13-13-13-31 CR1
63242 MB/s
8x Ryzen 7 1800X HT  3600 MHz  Asus Crosshair VI Hero  X370  Dual DDR4-2667  16-17-17-35 CR1
46884 MB/s
16x Xeon E5-2670 HT  2600 MHz  Supermicro X9DR6-F  C600  Octal DDR3-1333  9-9-9-24 CR1
44859 MB/s
4x Core i7-1065G7 HT  2200 MHz  LG 17Z90N-V.AA76C  IcePointLP Int.  Dual LPDDR4-3200  22-22-22-52 CR1
38015 MB/s
32x Opteron 6274  2200 MHz  Supermicro H8DGI-F  SR5690  Octal DDR3-1600R  11-11-11-28 CR1
32074 MB/s
4x Ryzen 5 2400G HT  3600 MHz  ASRock A320M Pro4  A320  Dual DDR4-2933  16-15-15-35 CR1
29420 MB/s
6x Core i7-8700K HT  3700 MHz  Gigabyte Z370 Aorus Gaming 7  Z370 Int.  Dual DDR4-2667  16-18-18-38 CR2
27374 MB/s
6x Core i7-7800X HT  3500 MHz  Gigabyte X299 UD4  X299  Quad DDR4-2667  15-17-17-35 CR2
25198 MB/s
6x Core i7-6850K HT  3600 MHz  Asus Strix X99 Gaming  X99  Quad DDR4-2400  16-16-16-39 CR2
23206 MB/s
6x Core i7-5820K HT  3300 MHz  Gigabyte GA-X99-UD4  X99  Quad DDR4-2133  15-15-15-36 CR2
21097 MB/s
6x Core i7-3960X Extreme HT  3300 MHz  Intel DX79SI  X79  Quad DDR3-1600  9-9-9-24 CR2
21096 MB/s
6x Core i7-4930K HT  3400 MHz  Gigabyte GA-X79-UD3  X79  Quad DDR3-1866  9-10-9-27 CR2
20645 MB/s
4x Core i7-7700K HT  4200 MHz  ASRock Z270 Extreme4  Z270 Ext.  Dual DDR4-2133  15-15-15-36 CR2
18234 MB/s
4x Core i7-6700K HT  4000 MHz  Gigabyte GA-Z170X-UD3  Z170 Int.  Dual DDR4-2133  14-14-14-35 CR2
17940 MB/s
16x Atom C3958  2000 MHz  Supermicro A2SDi-H-TP4F  Denverton  Dual DDR4-2400  17-17-17-39
17292 MB/s
8x FX-8350  4000 MHz  Asus M5A99X Evo R2.0  AMD990X  Dual DDR3-1866  9-10-9-27 CR2
16801 MB/s
4x Core i7-4770 HT  3400 MHz  Intel DZ87KLT-75K  Z87 Int.  Dual DDR3-1600  9-9-9-27 CR2
16358 MB/s
4x Core i7-5775C HT  3300 MHz  Gigabyte GA-Z97MX-Gaming 5  Z97 Int.  Dual DDR3-1600  11-11-11-28 CR1
15377 MB/s
8x FX-8150  3600 MHz  Asus M5A97  AMD970  Dual DDR3-1866  9-10-9-27 CR2
14455 MB/s
4x Core i7-3770K HT  3500 MHz  MSI Z77A-GD55  Z77 Int.  Dual DDR3-1600  9-9-9-24 CR2
13667 MB/s
4x Core i7-2600 HT  3400 MHz  Asus P8P67  P67  Dual DDR3-1333  9-9-9-24 CR1
12246 MB/s
6x Core i7-990X Extreme HT  3466 MHz  Intel DX58SO2  X58  Triple DDR3-1333  9-9-9-24 CR1
10337 MB/s
6x FX-6100  3300 MHz  Asus Sabertooth 990FX  AMD990FX  Dual DDR3-1866  9-10-9-27 CR2
9791 MB/s
4x Celeron J4105  1500 MHz  ASRock J4105-ITX  GeminiLakeD Int.  Dual DDR4-2400  17-17-17-39
9136 MB/s
4x A10-6800K  4100 MHz  Gigabyte GA-F2A85X-UP4  A85X Int.  Dual DDR3-2133  9-11-10-27 CR2
9011 MB/s
4x A12-9800  3800 MHz  Gigabyte GA-AB350M-Gaming 3  B350 Int.  Dual DDR4-2400  14-16-16-31 CR1
8503 MB/s
4x A10-5800K  3800 MHz  Asus F2A55-M  A55 Int.  Dual DDR3-1866  9-10-9-27 CR2
8500 MB/s
4x A10-7850K  3700 MHz  Gigabyte GA-F2A88XM-D3H  A88X Int.  Dual DDR3-2133  9-11-10-31 CR2
6557 MB/s
4x Athlon 5350  2050 MHz  ASRock AM1B-ITX  Yangtze Int.  DDR3-1600 SDRAM  11-11-11-28 CR2
4924 MB/s
4x Celeron J3455  1500 MHz  ASRock J3455B-ITX  ApolloLakeD Int.  Dual DDR3-1866  11-11-11-32 CR1
4052 MB/s
8x Atom C2750  2400 MHz  Supermicro A1SAi-2750F  Avoton  Dual DDR3-1600  11-11-11-28 CR1
3781 MB/s
2x Core i5-650 HT  3200 MHz  Supermicro C7SIM-Q  Q57 Int.  Dual DDR3-1333  9-9-9-24 CR1
2908 MB/s
Nano X2 L4350  1600 MHz  VIA EPIA-M900  VX900H Int.  DDR3-1066 SDRAM  7-7-7-20 CR2
1930 MB/s
12x Opteron 2431  2400 MHz  Supermicro H8DI3+-F  SR5690  Unganged Quad DDR2-800R  6-6-6-18 CR1
1619 MB/s
4x Celeron N3150  1600 MHz  ASRock N3150B-ITX  Braswell Int.  Dual DDR3-1600  11-11-11-28 CR2
1452 MB/s
Nano L2200  1600 MHz  VIA VB8001  CN896 Int.  DDR2-667 SDRAM  5-5-5-15 CR2
1332 MB/s
6x Phenom II X6 Black 1100T  3300 MHz  Gigabyte GA-890GPA-UD3H v2  AMD890GX Int.  Unganged Dual DDR3-1333  9-9-9-24 CR2
1286 MB/s
8x Opteron 2378  2400 MHz  Tyan Thunder n3600R  nForcePro-3600  Unganged Quad DDR2-800R  6-6-6-18 CR1
1233 MB/s
8x Xeon E5462  2800 MHz  Intel S5400SF  i5400  Quad DDR2-640FB  5-5-5-15
1152 MB/s
8x Xeon X5550 HT  2666 MHz  Supermicro X8DTN+  i5520  Hexa DDR3-1333  9-9-9-24 CR1
914 MB/s
8x Opteron 2344 HE  1700 MHz  Supermicro H8DME-2  nForcePro-3600  Unganged Quad DDR2-667R  5-5-5-15 CR1
802 MB/s
4x Phenom II X4 Black 940  3000 MHz  Asus M3N78-EM  GeForce8300 Int.  Ganged Dual DDR2-800  5-5-5-18 CR2
791 MB/s
8x Xeon L5320  1866 MHz  Intel S5000VCL  i5000V  Dual DDR2-533FB  4-4-4-12
790 MB/s
4x A8-3850  2900 MHz  Gigabyte GA-A75M-UD2H  A75 Int.  Dual DDR3-1333  9-9-9-24 CR1
721 MB/s
4x Core i7-965 Extreme HT  3200 MHz  Asus P6T Deluxe  X58  Triple DDR3-1333  9-9-9-24 CR1
663 MB/s
4x Core 2 Extreme QX9650  3000 MHz  Gigabyte GA-EP35C-DS3R  P35  Dual DDR3-1066  8-8-8-20 CR2
587 MB/s
4x Phenom X4 9500  2200 MHz  Asus M3A  AMD770  Ganged Dual DDR2-800  5-5-5-18 CR2
567 MB/s
4x Core 2 Extreme QX6700  2666 MHz  Intel D975XBX2  i975X  Dual DDR2-667  5-5-5-15
524 MB/s
4x Xeon X3430  2400 MHz  Supermicro X8SIL-F  i3420  Dual DDR3-1333  9-9-9-24 CR1
494 MB/s
4x Xeon 5140  2333 MHz  Intel S5000VSA  i5000V  Dual DDR2-667FB  5-5-5-15
473 MB/s
4x Opteron 2210 HE  1800 MHz  Tyan Thunder h2000M  BCM5785  Quad DDR2-600R  5-5-5-15 CR1
421 MB/s
2x Athlon64 X2 Black 6400+  3200 MHz  MSI K9N SLI Platinum  nForce570SLI  Dual DDR2-800  4-4-4-11 CR1
387 MB/s
4x Celeron J1900  2000 MHz  Gigabyte GA-J1900N-D3V  BayTrailD Int.  Dual DDR3-1333  9-9-9-24 CR1
312 MB/s
2x Core 2 Extreme X6800  2933 MHz  Abit AB9  P965  Dual DDR2-800  5-5-5-18 CR2
277 MB/s
2x Pentium EE 955 HT  3466 MHz  Intel D955XBK  i955X  Dual DDR2-667  4-4-4-11
269 MB/s
2x Xeon HT  3400 MHz  Intel SE7320SP2  iE7320  Dual DDR333R  2.5-3-3-7
242 MB/s
2x Pentium D 820  2800 MHz  Abit Fatal1ty F-I90HD  RS600 Int.  Dual DDR2-800  5-5-5-18 CR2
153 MB/s
2x E-350  1600 MHz  ASRock E350M1  A50M Int.  DDR3-1066 SDRAM  8-8-8-20 CR1
148 MB/s
P4EE HT  3733 MHz  Intel SE7230NH1LX  iE7230  Dual DDR2-667  5-5-5-15
144 MB/s
Opteron 248  2200 MHz  MSI K8T Master1-FAR  K8T800  Dual DDR266R  2-3-3-6 CR1
131 MB/s
Athlon64 3200+  2000 MHz  ASRock 939S56-M  SiS756  Dual DDR400  2.5-3-3-8 CR2
108 MB/s
Celeron D 326  2533 MHz  ASRock 775Twins-HDTV  RC410 Ext.  DDR2-533 SDRAM  4-4-4-11 CR2
105 MB/s
Sempron 2600+  1600 MHz  ASRock K8NF4G-SATA2  GeForce6100 Int.  DDR400 SDRAM  2.5-3-3-8 CR2
99 MB/s
2x Atom D525 HT  1800 MHz  Gigabyte GA-D525TUD  NM10 Int.  DDR3-800 SDRAM  6-6-6-15 CR2
98 MB/s
2x Atom D2500  1866 MHz  Intel D2500CC  NM10 Int.  DDR3-1066 SDRAM  7-7-7-20 CR2
85 MB/s
Celeron 420  1600 MHz  Intel DQ965GF  Q965 Int.  Dual DDR2-667  5-5-5-15
44 MB/s
Atom 230 HT  1600 MHz  Intel D945GCLF  i945GC Int.  DDR2-533 SDRAM  4-4-4-12


CPU SHA3

 
CPU  CPU Clock  Motherboard  Chipset  Memory  CL-RCD-RP-RAS
9774 MB/s
32x Ryzen Threadripper 3970X HT  3800 MHz  Gigabyte TRX40 Aorus Xtreme  TRX40  Quad DDR4-3200  16-18-18-36 CR1
7396 MB/s
32x Ryzen Threadripper 2990WX HT  3000 MHz  MSI MEG X399 Creation  X399  Quad DDR4-2933  16-18-18-38 CR1
4950 MB/s
16x Ryzen 9 3950X HT  3500 MHz  Gigabyte X570 Aorus Pro WiFi  X570  Dual DDR4-3600  16-16-16-36 CR1
4941 MB/s
20x Xeon E5-2660 v3 HT  2600 MHz  Supermicro X10DRi  C612  Octal DDR4-1866  13-13-13-31 CR1
3419 MB/s
6x Core i7-7800X HT  3500 MHz  Gigabyte X299 UD4  X299  Quad DDR4-2667  15-17-17-35 CR2
2668 MB/s
32x Opteron 6274  2200 MHz  Supermicro H8DGI-F  SR5690  Octal DDR3-1600R  11-11-11-28 CR1
2531 MB/s
6x Core i7-8700K HT  3700 MHz  Gigabyte Z370 Aorus Gaming 7  Z370 Int.  Dual DDR4-2667  16-18-18-38 CR2
2524 MB/s
16x Xeon E5-2670 HT  2600 MHz  Supermicro X9DR6-F  C600  Octal DDR3-1333  9-9-9-24 CR1
2237 MB/s
8x Ryzen 7 2700X HT  3700 MHz  Asus Crosshair VII Hero  X470  Dual DDR4-2933  16-20-21-49 CR1
2018 MB/s
8x Ryzen 7 1800X HT  3600 MHz  Asus Crosshair VI Hero  X370  Dual DDR4-2667  16-17-17-35 CR1
1986 MB/s
6x Core i7-6850K HT  3600 MHz  Asus Strix X99 Gaming  X99  Quad DDR4-2400  16-16-16-39 CR2
1804 MB/s
6x Core i7-5820K HT  3300 MHz  Gigabyte GA-X99-UD4  X99  Quad DDR4-2133  15-15-15-36 CR2
1775 MB/s
4x Core i7-7700K HT  4200 MHz  ASRock Z270 Extreme4  Z270 Ext.  Dual DDR4-2133  15-15-15-36 CR2
1569 MB/s
4x Core i7-6700K HT  4000 MHz  Gigabyte GA-Z170X-UD3  Z170 Int.  Dual DDR4-2133  14-14-14-35 CR2
1314 MB/s
12x Opteron 2431  2400 MHz  Supermicro H8DI3+-F  SR5690  Unganged Quad DDR2-800R  6-6-6-18 CR1
1306 MB/s
4x Core i7-4770 HT  3400 MHz  Intel DZ87KLT-75K  Z87 Int.  Dual DDR3-1600  9-9-9-27 CR2
1292 MB/s
4x Core i7-1065G7 HT  2100 MHz  LG 17Z90N-V.AA76C  IcePointLP Int.  Dual LPDDR4-3200  22-22-22-52 CR1
1283 MB/s
4x Core i7-5775C HT  3300 MHz  Gigabyte GA-Z97MX-Gaming 5  Z97 Int.  Dual DDR3-1600  11-11-11-28 CR1
1180 MB/s
8x FX-8350  4000 MHz  Asus M5A99X Evo R2.0  AMD990X  Dual DDR3-1866  9-10-9-27 CR2
1178 MB/s
6x Core i7-4930K HT  3400 MHz  Gigabyte GA-X79-UD3  X79  Quad DDR3-1866  9-10-9-27 CR2
1136 MB/s
6x Core i7-3960X Extreme HT  3300 MHz  Intel DX79SI  X79  Quad DDR3-1600  9-9-9-24 CR2
1076 MB/s
8x FX-8150  3600 MHz  Asus M5A97  AMD970  Dual DDR3-1866  9-10-9-27 CR2
1037 MB/s
8x Xeon E5462  2800 MHz  Intel S5400SF  i5400  Quad DDR2-640FB  5-5-5-15
1031 MB/s
16x Atom C3958  2000 MHz  Supermicro A2SDi-H-TP4F  Denverton  Dual DDR4-2400  17-17-17-39
979 MB/s
4x Ryzen 5 2400G HT  3600 MHz  ASRock A320M Pro4  A320  Dual DDR4-2933  16-15-15-35 CR1
912 MB/s
6x Phenom II X6 Black 1100T  3300 MHz  Gigabyte GA-890GPA-UD3H v2  AMD890GX Int.  Unganged Dual DDR3-1333  9-9-9-24 CR2
876 MB/s
8x Opteron 2378  2400 MHz  Tyan Thunder n3600R  nForcePro-3600  Unganged Quad DDR2-800R  6-6-6-18 CR1
845 MB/s
6x Core i7-990X Extreme HT  3466 MHz  Intel DX58SO2  X58  Triple DDR3-1333  9-9-9-24 CR1
834 MB/s
8x Xeon X5550 HT  2666 MHz  Supermicro X8DTN+  i5520  Hexa DDR3-1333  9-9-9-24 CR1
796 MB/s
4x Core i7-3770K HT  3500 MHz  MSI Z77A-GD55  Z77 Int.  Dual DDR3-1600  9-9-9-24 CR2
758 MB/s
4x A12-9800  3800 MHz  Gigabyte GA-AB350M-Gaming 3  B350 Int.  Dual DDR4-2400  14-16-16-31 CR1
736 MB/s
4x Core i7-2600 HT  3400 MHz  Asus P8P67  P67  Dual DDR3-1333  9-9-9-24 CR1
726 MB/s
6x FX-6100  3300 MHz  Asus Sabertooth 990FX  AMD990FX  Dual DDR3-1866  9-10-9-27 CR2
684 MB/s
8x Xeon L5320  1866 MHz  Intel S5000VCL  i5000V  Dual DDR2-533FB  4-4-4-12
625 MB/s
4x A10-6800K  4100 MHz  Gigabyte GA-F2A85X-UP4  A85X Int.  Dual DDR3-2133  9-11-10-27 CR2
625 MB/s
8x Opteron 2344 HE  1700 MHz  Supermicro H8DME-2  nForcePro-3600  Unganged Quad DDR2-667R  5-5-5-15 CR1
581 MB/s
4x A10-5800K  3800 MHz  Asus F2A55-M  A55 Int.  Dual DDR3-1866  9-10-9-27 CR2
577 MB/s
4x A10-7850K  3700 MHz  Gigabyte GA-F2A88XM-D3H  A88X Int.  Dual DDR3-2133  9-11-10-31 CR2
555 MB/s
4x Core 2 Extreme QX9650  3000 MHz  Gigabyte GA-EP35C-DS3R  P35  Dual DDR3-1066  8-8-8-20 CR2
547 MB/s
4x Phenom II X4 Black 940  3000 MHz  Asus M3N78-EM  GeForce8300 Int.  Ganged Dual DDR2-800  5-5-5-18 CR2
532 MB/s
4x A8-3850  2900 MHz  Gigabyte GA-A75M-UD2H  A75 Int.  Dual DDR3-1333  9-9-9-24 CR1
525 MB/s
8x Atom C2750  2400 MHz  Supermicro A1SAi-2750F  Avoton  Dual DDR3-1600  11-11-11-28 CR1
523 MB/s
4x Core i7-965 Extreme HT  3200 MHz  Asus P6T Deluxe  X58  Triple DDR3-1333  9-9-9-24 CR1
489 MB/s
4x Core 2 Extreme QX6700  2666 MHz  Intel D975XBX2  i975X  Dual DDR2-667  5-5-5-15
427 MB/s
4x Xeon 5140  2333 MHz  Intel S5000VSA  i5000V  Dual DDR2-667FB  5-5-5-15
418 MB/s
4x Xeon X3430  2400 MHz  Supermicro X8SIL-F  i3420  Dual DDR3-1333  9-9-9-24 CR1
401 MB/s
4x Phenom X4 9500  2200 MHz  Asus M3A  AMD770  Ganged Dual DDR2-800  5-5-5-18 CR2
385 MB/s
4x Celeron J4105  1500 MHz  ASRock J4105-ITX  GeminiLakeD Int.  Dual DDR4-2400  17-17-17-39
329 MB/s
4x Celeron J3455  1500 MHz  ASRock J3455B-ITX  ApolloLakeD Int.  Dual DDR3-1866  11-11-11-32 CR1
327 MB/s
4x Opteron 2210 HE  1800 MHz  Tyan Thunder h2000M  BCM5785  Quad DDR2-600R  5-5-5-15 CR1
291 MB/s
2x Athlon64 X2 Black 6400+  3200 MHz  MSI K9N SLI Platinum  nForce570SLI  Dual DDR2-800  4-4-4-11 CR1
272 MB/s
4x Athlon 5350  2050 MHz  ASRock AM1B-ITX  Yangtze Int.  DDR3-1600 SDRAM  11-11-11-28 CR2
269 MB/s
2x Core 2 Extreme X6800  2933 MHz  Abit AB9  P965  Dual DDR2-800  5-5-5-18 CR2
260 MB/s
2x Core i5-650 HT  3200 MHz  Supermicro C7SIM-Q  Q57 Int.  Dual DDR3-1333  9-9-9-24 CR1
243 MB/s
4x Celeron J1900  2000 MHz  Gigabyte GA-J1900N-D3V  BayTrailD Int.  Dual DDR3-1333  9-9-9-24 CR1
213 MB/s
4x Celeron N3150  1600 MHz  ASRock N3150B-ITX  Braswell Int.  Dual DDR3-1600  11-11-11-28 CR2
205 MB/s
2x Pentium EE 955 HT  3466 MHz  Intel D955XBK  i955X  Dual DDR2-667  4-4-4-11
200 MB/s
2x Xeon HT  3400 MHz  Intel SE7320SP2  iE7320  Dual DDR333R  2.5-3-3-7
146 MB/s
2x Pentium D 820  2800 MHz  Abit Fatal1ty F-I90HD  RS600 Int.  Dual DDR2-800  5-5-5-18 CR2
110 MB/s
P4EE HT  3733 MHz  Intel SE7230NH1LX  iE7230  Dual DDR2-667  5-5-5-15
107 MB/s
2x Atom D2500  1866 MHz  Intel D2500CC  NM10 Int.  DDR3-1066 SDRAM  7-7-7-20 CR2
106 MB/s
Nano X2 L4350  1600 MHz  VIA EPIA-M900  VX900H Int.  DDR3-1066 SDRAM  7-7-7-20 CR2
105 MB/s
2x Atom D525 HT  1800 MHz  Gigabyte GA-D525TUD  NM10 Int.  DDR3-800 SDRAM  6-6-6-15 CR2
99 MB/s
Opteron 248  2200 MHz  MSI K8T Master1-FAR  K8T800  Dual DDR266R  2-3-3-6 CR1
96 MB/s
2x E-350  1600 MHz  ASRock E350M1  A50M Int.  DDR3-1066 SDRAM  8-8-8-20 CR1
90 MB/s
Athlon64 3200+  2000 MHz  ASRock 939S56-M  SiS756  Dual DDR400  2.5-3-3-8 CR2
73 MB/s
Celeron 420  1600 MHz  Intel DQ965GF  Q965 Int.  Dual DDR2-667  5-5-5-15
72 MB/s
Sempron 2600+  1600 MHz  ASRock K8NF4G-SATA2  GeForce6100 Int.  DDR400 SDRAM  2.5-3-3-8 CR2
65 MB/s
Celeron D 326  2533 MHz  ASRock 775Twins-HDTV  RC410 Ext.  DDR2-533 SDRAM  4-4-4-11 CR2
51 MB/s
Nano L2200  1600 MHz  VIA VB8001  CN896 Int.  DDR2-667 SDRAM  5-5-5-15 CR2
47 MB/s
Atom 230 HT  1600 MHz  Intel D945GCLF  i945GC Int.  DDR2-533 SDRAM  4-4-4-12


FPU Julia

 
CPU  CPU Clock  Motherboard  Chipset  Memory  CL-RCD-RP-RAS
302606
32x Ryzen Threadripper 3970X HT  3800 MHz  Gigabyte TRX40 Aorus Xtreme  TRX40  Quad DDR4-3200  16-18-18-36 CR1
149854
16x Ryzen 9 3950X HT  3500 MHz  Gigabyte X570 Aorus Pro WiFi  X570  Dual DDR4-3600  16-16-16-36 CR1
141102
32x Ryzen Threadripper 2990WX HT  3000 MHz  MSI MEG X399 Creation  X399  Quad DDR4-2933  16-18-18-38 CR1
111086
20x Xeon E5-2660 v3 HT  2600 MHz  Supermicro X10DRi  C612  Octal DDR4-1866  13-13-13-31 CR1
66364
6x Core i7-7800X HT  3500 MHz  Gigabyte X299 UD4  X299  Quad DDR4-2667  15-17-17-35 CR2
62489
16x Xeon E5-2670 HT  2600 MHz  Supermicro X9DR6-F  C600  Octal DDR3-1333  9-9-9-24 CR1
54927
6x Core i7-8700K HT  3700 MHz  Gigabyte Z370 Aorus Gaming 7  Z370 Int.  Dual DDR4-2667  16-18-18-38 CR2
40860
8x Ryzen 7 2700X HT  3700 MHz  Asus Crosshair VII Hero  X470  Dual DDR4-2933  16-20-21-49 CR1
40283
6x Core i7-5820K HT  3300 MHz  Gigabyte GA-X99-UD4  X99  Quad DDR4-2133  15-15-15-36 CR2
38481
8x Ryzen 7 1800X HT  3600 MHz  Asus Crosshair VI Hero  X370  Dual DDR4-2667  16-17-17-35 CR1
38472
4x Core i7-7700K HT  4200 MHz  ASRock Z270 Extreme4  Z270 Ext.  Dual DDR4-2133  15-15-15-36 CR2
36094
6x Core i7-6850K HT  3600 MHz  Asus Strix X99 Gaming  X99  Quad DDR4-2400  16-16-16-39 CR2
34017
4x Core i7-6700K HT  4000 MHz  Gigabyte GA-Z170X-UD3  Z170 Int.  Dual DDR4-2133  14-14-14-35 CR2
30190
32x Opteron 6274  2200 MHz  Supermicro H8DGI-F  SR5690  Octal DDR3-1600R  11-11-11-28 CR1
28482
6x Core i7-4930K HT  3400 MHz  Gigabyte GA-X79-UD3  X79  Quad DDR3-1866  9-10-9-27 CR2
27646
4x Core i7-4770 HT  3400 MHz  Intel DZ87KLT-75K  Z87 Int.  Dual DDR3-1600  9-9-9-27 CR2
26893
6x Core i7-3960X Extreme HT  3300 MHz  Intel DX79SI  X79  Quad DDR3-1600  9-9-9-24 CR2
24755
4x Core i7-5775C HT  3300 MHz  Gigabyte GA-Z97MX-Gaming 5  Z97 Int.  Dual DDR3-1600  11-11-11-28 CR1
19514
4x Core i7-3770K HT  3500 MHz  MSI Z77A-GD55  Z77 Int.  Dual DDR3-1600  9-9-9-24 CR2
19070
4x Core i7-1065G7 HT  2000 MHz  LG 17Z90N-V.AA76C  IcePointLP Int.  Dual LPDDR4-3200  22-22-22-52 CR1
18966
4x Ryzen 5 2400G HT  3600 MHz  ASRock A320M Pro4  A320  Dual DDR4-2933  16-15-15-35 CR1
18453
4x Core i7-2600 HT  3400 MHz  Asus P8P67  P67  Dual DDR3-1333  9-9-9-24 CR1
18309
12x Opteron 2431  2400 MHz  Supermicro H8DI3+-F  SR5690  Unganged Quad DDR2-800R  6-6-6-18 CR1
18009
6x Core i7-990X Extreme HT  3466 MHz  Intel DX58SO2  X58  Triple DDR3-1333  9-9-9-24 CR1
17672
8x Xeon X5550 HT  2666 MHz  Supermicro X8DTN+  i5520  Hexa DDR3-1333  9-9-9-24 CR1
15941
16x Atom C3958  2000 MHz  Supermicro A2SDi-H-TP4F  Denverton  Dual DDR4-2400  17-17-17-39
15291
8x Xeon E5462  2800 MHz  Intel S5400SF  i5400  Quad DDR2-640FB  5-5-5-15
13498
8x FX-8350  4000 MHz  Asus M5A99X Evo R2.0  AMD990X  Dual DDR3-1866  9-10-9-27 CR2
12633
6x Phenom II X6 Black 1100T  3300 MHz  Gigabyte GA-890GPA-UD3H v2  AMD890GX Int.  Unganged Dual DDR3-1333  9-9-9-24 CR2
12205
8x Opteron 2378  2400 MHz  Tyan Thunder n3600R  nForcePro-3600  Unganged Quad DDR2-800R  6-6-6-18 CR1
11912
8x FX-8150  3600 MHz  Asus M5A97  AMD970  Dual DDR3-1866  9-10-9-27 CR2
11127
4x Core i7-965 Extreme HT  3200 MHz  Asus P6T Deluxe  X58  Triple DDR3-1333  9-9-9-24 CR1
8958
8x Xeon L5320  1866 MHz  Intel S5000VCL  i5000V  Dual DDR2-533FB  4-4-4-12
8746
8x Atom C2750  2400 MHz  Supermicro A1SAi-2750F  Avoton  Dual DDR3-1600  11-11-11-28 CR1
8686
8x Opteron 2344 HE  1700 MHz  Supermicro H8DME-2  nForcePro-3600  Unganged Quad DDR2-667R  5-5-5-15 CR1
8203
4x Core 2 Extreme QX9650  3000 MHz  Gigabyte GA-EP35C-DS3R  P35  Dual DDR3-1066  8-8-8-20 CR2
8070
4x Xeon X3430  2400 MHz  Supermicro X8SIL-F  i3420  Dual DDR3-1333  9-9-9-24 CR1
7958
6x FX-6100  3300 MHz  Asus Sabertooth 990FX  AMD990FX  Dual DDR3-1866  9-10-9-27 CR2
7598
4x Phenom II X4 Black 940  3000 MHz  Asus M3N78-EM  GeForce8300 Int.  Ganged Dual DDR2-800  5-5-5-18 CR2
7432
4x A8-3850  2900 MHz  Gigabyte GA-A75M-UD2H  A75 Int.  Dual DDR3-1333  9-9-9-24 CR1
7019
4x A10-6800K  4100 MHz  Gigabyte GA-F2A85X-UP4  A85X Int.  Dual DDR3-2133  9-11-10-27 CR2
6987
4x A12-9800  3800 MHz  Gigabyte GA-AB350M-Gaming 3  B350 Int.  Dual DDR4-2400  14-16-16-31 CR1
6526
4x A10-5800K  3800 MHz  Asus F2A55-M  A55 Int.  Dual DDR3-1866  9-10-9-27 CR2
6416
4x Core 2 Extreme QX6700  2666 MHz  Intel D975XBX2  i975X  Dual DDR2-667  5-5-5-15
6228
4x A10-7850K  3700 MHz  Gigabyte GA-F2A88XM-D3H  A88X Int.  Dual DDR3-2133  9-11-10-31 CR2
6169
4x Celeron J4105  1500 MHz  ASRock J4105-ITX  GeminiLakeD Int.  Dual DDR4-2400  17-17-17-39
5655
4x Celeron J3455  1500 MHz  ASRock J3455B-ITX  ApolloLakeD Int.  Dual DDR3-1866  11-11-11-32 CR1
5600
4x Xeon 5140  2333 MHz  Intel S5000VSA  i5000V  Dual DDR2-667FB  5-5-5-15
5580
4x Phenom X4 9500  2200 MHz  Asus M3A  AMD770  Ganged Dual DDR2-800  5-5-5-18 CR2
5577
2x Core i5-650 HT  3200 MHz  Supermicro C7SIM-Q  Q57 Int.  Dual DDR3-1333  9-9-9-24 CR1
5235
4x Athlon 5350  2050 MHz  ASRock AM1B-ITX  Yangtze Int.  DDR3-1600 SDRAM  11-11-11-28 CR2
4053
4x Celeron J1900  2000 MHz  Gigabyte GA-J1900N-D3V  BayTrailD Int.  Dual DDR3-1333  9-9-9-24 CR1
3534
2x Core 2 Extreme X6800  2933 MHz  Abit AB9  P965  Dual DDR2-800  5-5-5-18 CR2
3487
4x Celeron N3150  1600 MHz  ASRock N3150B-ITX  Braswell Int.  Dual DDR3-1600  11-11-11-28 CR2
2443
2x Pentium EE 955 HT  3466 MHz  Intel D955XBK  i955X  Dual DDR2-667  4-4-4-11
2388
2x Xeon HT  3400 MHz  Intel SE7320SP2  iE7320  Dual DDR333R  2.5-3-3-7
2308
4x Opteron 2210 HE  1800 MHz  Tyan Thunder h2000M  BCM5785  Quad DDR2-600R  5-5-5-15 CR1
2053
2x Athlon64 X2 Black 6400+  3200 MHz  MSI K9N SLI Platinum  nForce570SLI  Dual DDR2-800  4-4-4-11 CR1
1988
2x Pentium D 820  2800 MHz  Abit Fatal1ty F-I90HD  RS600 Int.  Dual DDR2-800  5-5-5-18 CR2
1865
Nano X2 L4350  1600 MHz  VIA EPIA-M900  VX900H Int.  DDR3-1066 SDRAM  7-7-7-20 CR2
1332
2x Atom D525 HT  1800 MHz  Gigabyte GA-D525TUD  NM10 Int.  DDR3-800 SDRAM  6-6-6-15 CR2
1307
P4EE HT  3733 MHz  Intel SE7230NH1LX  iE7230  Dual DDR2-667  5-5-5-15
1112
2x Atom D2500  1866 MHz  Intel D2500CC  NM10 Int.  DDR3-1066 SDRAM  7-7-7-20 CR2
958
Celeron 420  1600 MHz  Intel DQ965GF  Q965 Int.  Dual DDR2-667  5-5-5-15
911
2x E-350  1600 MHz  ASRock E350M1  A50M Int.  DDR3-1066 SDRAM  8-8-8-20 CR1
892
Celeron D 326  2533 MHz  ASRock 775Twins-HDTV  RC410 Ext.  DDR2-533 SDRAM  4-4-4-11 CR2
794
Nano L2200  1600 MHz  VIA VB8001  CN896 Int.  DDR2-667 SDRAM  5-5-5-15 CR2
701
Opteron 248  2200 MHz  MSI K8T Master1-FAR  K8T800  Dual DDR266R  2-3-3-6 CR1
640
Athlon64 3200+  2000 MHz  ASRock 939S56-M  SiS756  Dual DDR400  2.5-3-3-8 CR2
589
Atom 230 HT  1600 MHz  Intel D945GCLF  i945GC Int.  DDR2-533 SDRAM  4-4-4-12
513
Sempron 2600+  1600 MHz  ASRock K8NF4G-SATA2  GeForce6100 Int.  DDR400 SDRAM  2.5-3-3-8 CR2


FPU Mandel

 
CPU  CPU Clock  Motherboard  Chipset  Memory  CL-RCD-RP-RAS
160860
32x Ryzen Threadripper 3970X HT  3800 MHz  Gigabyte TRX40 Aorus Xtreme  TRX40  Quad DDR4-3200  16-18-18-36 CR1
79245
16x Ryzen 9 3950X HT  3500 MHz  Gigabyte X570 Aorus Pro WiFi  X570  Dual DDR4-3600  16-16-16-36 CR1
72961
32x Ryzen Threadripper 2990WX HT  3000 MHz  MSI MEG X399 Creation  X399  Quad DDR4-2933  16-18-18-38 CR1
54582
20x Xeon E5-2660 v3 HT  2600 MHz  Supermicro X10DRi  C612  Octal DDR4-1866  13-13-13-31 CR1
36624
6x Core i7-7800X HT  3500 MHz  Gigabyte X299 UD4  X299  Quad DDR4-2667  15-17-17-35 CR2
32939
16x Xeon E5-2670 HT  2600 MHz  Supermicro X9DR6-F  C600  Octal DDR3-1333  9-9-9-24 CR1
29556
6x Core i7-8700K HT  3700 MHz  Gigabyte Z370 Aorus Gaming 7  Z370 Int.  Dual DDR4-2667  16-18-18-38 CR2
21692
6x Core i7-5820K HT  3300 MHz  Gigabyte GA-X99-UD4  X99  Quad DDR4-2133  15-15-15-36 CR2
21329
8x Ryzen 7 2700X HT  3700 MHz  Asus Crosshair VII Hero  X470  Dual DDR4-2933  16-20-21-49 CR1
20702
4x Core i7-7700K HT  4200 MHz  ASRock Z270 Extreme4  Z270 Ext.  Dual DDR4-2133  15-15-15-36 CR2
20171
8x Ryzen 7 1800X HT  3600 MHz  Asus Crosshair VI Hero  X370  Dual DDR4-2667  16-17-17-35 CR1
19160
6x Core i7-6850K HT  3600 MHz  Asus Strix X99 Gaming  X99  Quad DDR4-2400  16-16-16-39 CR2
18312
4x Core i7-6700K HT  4000 MHz  Gigabyte GA-Z170X-UD3  Z170 Int.  Dual DDR4-2133  14-14-14-35 CR2
15402
32x Opteron 6274  2200 MHz  Supermicro H8DGI-F  SR5690  Octal DDR3-1600R  11-11-11-28 CR1
15100
6x Core i7-4930K HT  3400 MHz  Gigabyte GA-X79-UD3  X79  Quad DDR3-1866  9-10-9-27 CR2
14851
4x Core i7-4770 HT  3400 MHz  Intel DZ87KLT-75K  Z87 Int.  Dual DDR3-1600  9-9-9-27 CR2
14256
6x Core i7-3960X Extreme HT  3300 MHz  Intel DX79SI  X79  Quad DDR3-1600  9-9-9-24 CR2
12503
4x Core i7-5775C HT  3300 MHz  Gigabyte GA-Z97MX-Gaming 5  Z97 Int.  Dual DDR3-1600  11-11-11-28 CR1
11412
4x Core i7-1065G7 HT  2000 MHz  LG 17Z90N-V.AA76C  IcePointLP Int.  Dual LPDDR4-3200  22-22-22-52 CR1
10344
4x Core i7-3770K HT  3500 MHz  MSI Z77A-GD55  Z77 Int.  Dual DDR3-1600  9-9-9-24 CR2
9890
4x Ryzen 5 2400G HT  3600 MHz  ASRock A320M Pro4  A320  Dual DDR4-2933  16-15-15-35 CR1
9781
4x Core i7-2600 HT  3400 MHz  Asus P8P67  P67  Dual DDR3-1333  9-9-9-24 CR1
9318
12x Opteron 2431  2400 MHz  Supermicro H8DI3+-F  SR5690  Unganged Quad DDR2-800R  6-6-6-18 CR1
8675
6x Core i7-990X Extreme HT  3466 MHz  Intel DX58SO2  X58  Triple DDR3-1333  9-9-9-24 CR1
8614
8x Xeon X5550 HT  2666 MHz  Supermicro X8DTN+  i5520  Hexa DDR3-1333  9-9-9-24 CR1
8068
8x Xeon E5462  2800 MHz  Intel S5400SF  i5400  Quad DDR2-640FB  5-5-5-15
7273
16x Atom C3958  2000 MHz  Supermicro A2SDi-H-TP4F  Denverton  Dual DDR4-2400  17-17-17-39
6913
8x FX-8350  4000 MHz  Asus M5A99X Evo R2.0  AMD990X  Dual DDR3-1866  9-10-9-27 CR2
6434
6x Phenom II X6 Black 1100T  3300 MHz  Gigabyte GA-890GPA-UD3H v2  AMD890GX Int.  Unganged Dual DDR3-1333  9-9-9-24 CR2
6212
8x Opteron 2378  2400 MHz  Tyan Thunder n3600R  nForcePro-3600  Unganged Quad DDR2-800R  6-6-6-18 CR1
6096
8x FX-8150  3600 MHz  Asus M5A97  AMD970  Dual DDR3-1866  9-10-9-27 CR2
5394
4x Core i7-965 Extreme HT  3200 MHz  Asus P6T Deluxe  X58  Triple DDR3-1333  9-9-9-24 CR1
4625
8x Xeon L5320  1866 MHz  Intel S5000VCL  i5000V  Dual DDR2-533FB  4-4-4-12
4421
8x Opteron 2344 HE  1700 MHz  Supermicro H8DME-2  nForcePro-3600  Unganged Quad DDR2-667R  5-5-5-15 CR1
4333
4x Core 2 Extreme QX9650  3000 MHz  Gigabyte GA-EP35C-DS3R  P35  Dual DDR3-1066  8-8-8-20 CR2
4180
4x Xeon X3430  2400 MHz  Supermicro X8SIL-F  i3420  Dual DDR3-1333  9-9-9-24 CR1
4040
6x FX-6100  3300 MHz  Asus Sabertooth 990FX  AMD990FX  Dual DDR3-1866  9-10-9-27 CR2
3970
4x A8-3850  2900 MHz  Gigabyte GA-A75M-UD2H  A75 Int.  Dual DDR3-1333  9-9-9-24 CR1
3874
4x Phenom II X4 Black 940  3000 MHz  Asus M3N78-EM  GeForce8300 Int.  Ganged Dual DDR2-800  5-5-5-18 CR2
3646
4x A12-9800  3800 MHz  Gigabyte GA-AB350M-Gaming 3  B350 Int.  Dual DDR4-2400  14-16-16-31 CR1
3454
4x A10-6800K  4100 MHz  Gigabyte GA-F2A85X-UP4  A85X Int.  Dual DDR3-2133  9-11-10-27 CR2
3349
4x Celeron J4105  1500 MHz  ASRock J4105-ITX  GeminiLakeD Int.  Dual DDR4-2400  17-17-17-39
3311
4x Core 2 Extreme QX6700  2666 MHz  Intel D975XBX2  i975X  Dual DDR2-667  5-5-5-15
3174
4x A10-7850K  3700 MHz  Gigabyte GA-F2A88XM-D3H  A88X Int.  Dual DDR3-2133  9-11-10-31 CR2
3149
4x A10-5800K  3800 MHz  Asus F2A55-M  A55 Int.  Dual DDR3-1866  9-10-9-27 CR2
3068
4x Celeron J3455  1500 MHz  ASRock J3455B-ITX  ApolloLakeD Int.  Dual DDR3-1866  11-11-11-32 CR1
2981
8x Atom C2750  2400 MHz  Supermicro A1SAi-2750F  Avoton  Dual DDR3-1600  11-11-11-28 CR1
2890
4x Xeon 5140  2333 MHz  Intel S5000VSA  i5000V  Dual DDR2-667FB  5-5-5-15
2840
4x Phenom X4 9500  2200 MHz  Asus M3A  AMD770  Ganged Dual DDR2-800  5-5-5-18 CR2
2675
2x Core i5-650 HT  3200 MHz  Supermicro C7SIM-Q  Q57 Int.  Dual DDR3-1333  9-9-9-24 CR1
2335
4x Athlon 5350  2050 MHz  ASRock AM1B-ITX  Yangtze Int.  DDR3-1600 SDRAM  11-11-11-28 CR2
1823
2x Core 2 Extreme X6800  2933 MHz  Abit AB9  P965  Dual DDR2-800  5-5-5-18 CR2
1482
2x Pentium EE 955 HT  3466 MHz  Intel D955XBK  i955X  Dual DDR2-667  4-4-4-11
1449
2x Xeon HT  3400 MHz  Intel SE7320SP2  iE7320  Dual DDR333R  2.5-3-3-7
1383
4x Celeron J1900  2000 MHz  Gigabyte GA-J1900N-D3V  BayTrailD Int.  Dual DDR3-1333  9-9-9-24 CR1
1189
4x Celeron N3150  1600 MHz  ASRock N3150B-ITX  Braswell Int.  Dual DDR3-1600  11-11-11-28 CR2
1182
4x Opteron 2210 HE  1800 MHz  Tyan Thunder h2000M  BCM5785  Quad DDR2-600R  5-5-5-15 CR1
1062
2x Pentium D 820  2800 MHz  Abit Fatal1ty F-I90HD  RS600 Int.  Dual DDR2-800  5-5-5-18 CR2
1051
2x Athlon64 X2 Black 6400+  3200 MHz  MSI K9N SLI Platinum  nForce570SLI  Dual DDR2-800  4-4-4-11 CR1
856
Nano X2 L4350  1600 MHz  VIA EPIA-M900  VX900H Int.  DDR3-1066 SDRAM  7-7-7-20 CR2
794
P4EE HT  3733 MHz  Intel SE7230NH1LX  iE7230  Dual DDR2-667  5-5-5-15
494
Celeron 420  1600 MHz  Intel DQ965GF  Q965 Int.  Dual DDR2-667  5-5-5-15
476
Celeron D 326  2533 MHz  ASRock 775Twins-HDTV  RC410 Ext.  DDR2-533 SDRAM  4-4-4-11 CR2
438
2x Atom D525 HT  1800 MHz  Gigabyte GA-D525TUD  NM10 Int.  DDR3-800 SDRAM  6-6-6-15 CR2
427
2x E-350  1600 MHz  ASRock E350M1  A50M Int.  DDR3-1066 SDRAM  8-8-8-20 CR1
406
Nano L2200  1600 MHz  VIA VB8001  CN896 Int.  DDR2-667 SDRAM  5-5-5-15 CR2
401
2x Atom D2500  1866 MHz  Intel D2500CC  NM10 Int.  DDR3-1066 SDRAM  7-7-7-20 CR2
359
Opteron 248  2200 MHz  MSI K8T Master1-FAR  K8T800  Dual DDR266R  2-3-3-6 CR1
328
Athlon64 3200+  2000 MHz  ASRock 939S56-M  SiS756  Dual DDR400  2.5-3-3-8 CR2
263
Sempron 2600+  1600 MHz  ASRock K8NF4G-SATA2  GeForce6100 Int.  DDR400 SDRAM  2.5-3-3-8 CR2
193
Atom 230 HT  1600 MHz  Intel D945GCLF  i945GC Int.  DDR2-533 SDRAM  4-4-4-12


FPU SinJulia

 
CPU  CPU Clock  Motherboard  Chipset  Memory  CL-RCD-RP-RAS
55908
32x Ryzen Threadripper 3970X HT  3800 MHz  Gigabyte TRX40 Aorus Xtreme  TRX40  Quad DDR4-3200  16-18-18-36 CR1
46562
32x Ryzen Threadripper 2990WX HT  3000 MHz  MSI MEG X399 Creation  X399  Quad DDR4-2933  16-18-18-38 CR1
28541
16x Ryzen 9 3950X HT  3500 MHz  Gigabyte X570 Aorus Pro WiFi  X570  Dual DDR4-3600  16-16-16-36 CR1
18481
20x Xeon E5-2660 v3 HT  2600 MHz  Supermicro X10DRi  C612  Octal DDR4-1866  13-13-13-31 CR1
16033
16x Xeon E5-2670 HT  2600 MHz  Supermicro X9DR6-F  C600  Octal DDR3-1333  9-9-9-24 CR1
13534
8x Ryzen 7 2700X HT  3700 MHz  Asus Crosshair VII Hero  X470  Dual DDR4-2933  16-20-21-49 CR1
12654
8x Ryzen 7 1800X HT  3600 MHz  Asus Crosshair VI Hero  X370  Dual DDR4-2667  16-17-17-35 CR1
7786
6x Core i7-8700K HT  3700 MHz  Gigabyte Z370 Aorus Gaming 7  Z370 Int.  Dual DDR4-2667  16-18-18-38 CR2
7470
6x Core i7-990X Extreme HT  3466 MHz  Intel DX58SO2  X58  Triple DDR3-1333  9-9-9-24 CR1
7272
6x Core i7-4930K HT  3400 MHz  Gigabyte GA-X79-UD3  X79  Quad DDR3-1866  9-10-9-27 CR2
7240
6x Core i7-7800X HT  3500 MHz  Gigabyte X299 UD4  X299  Quad DDR4-2667  15-17-17-35 CR2
7218
6x Core i7-3960X Extreme HT  3300 MHz  Intel DX79SI  X79  Quad DDR3-1600  9-9-9-24 CR2
7116
6x Core i7-6850K HT  3600 MHz  Asus Strix X99 Gaming  X99  Quad DDR4-2400  16-16-16-39 CR2
6993
8x Xeon X5550 HT  2666 MHz  Supermicro X8DTN+  i5520  Hexa DDR3-1333  9-9-9-24 CR1
6821
32x Opteron 6274  2200 MHz  Supermicro H8DGI-F  SR5690  Octal DDR3-1600R  11-11-11-28 CR1
6511
6x Core i7-5820K HT  3300 MHz  Gigabyte GA-X99-UD4  X99  Quad DDR4-2133  15-15-15-36 CR2
6131
4x Ryzen 5 2400G HT  3600 MHz  ASRock A320M Pro4  A320  Dual DDR4-2933  16-15-15-35 CR1
5460
4x Core i7-7700K HT  4200 MHz  ASRock Z270 Extreme4  Z270 Ext.  Dual DDR4-2133  15-15-15-36 CR2
4978
4x Core i7-3770K HT  3500 MHz  MSI Z77A-GD55  Z77 Int.  Dual DDR3-1600  9-9-9-24 CR2
4826
4x Core i7-6700K HT  4000 MHz  Gigabyte GA-Z170X-UD3  Z170 Int.  Dual DDR4-2133  14-14-14-35 CR2
4714
4x Core i7-4770 HT  3400 MHz  Intel DZ87KLT-75K  Z87 Int.  Dual DDR3-1600  9-9-9-27 CR2
4675
4x Core i7-2600 HT  3400 MHz  Asus P8P67  P67  Dual DDR3-1333  9-9-9-24 CR1
4658
12x Opteron 2431  2400 MHz  Supermicro H8DI3+-F  SR5690  Unganged Quad DDR2-800R  6-6-6-18 CR1
4615
4x Core i7-5775C HT  3300 MHz  Gigabyte GA-Z97MX-Gaming 5  Z97 Int.  Dual DDR3-1600  11-11-11-28 CR1
4586
4x Core i7-965 Extreme HT  3200 MHz  Asus P6T Deluxe  X58  Triple DDR3-1333  9-9-9-24 CR1
4137
8x Xeon E5462  2800 MHz  Intel S5400SF  i5400  Quad DDR2-640FB  5-5-5-15
3540
16x Atom C3958  2000 MHz  Supermicro A2SDi-H-TP4F  Denverton  Dual DDR4-2400  17-17-17-39
3212
6x Phenom II X6 Black 1100T  3300 MHz  Gigabyte GA-890GPA-UD3H v2  AMD890GX Int.  Unganged Dual DDR3-1333  9-9-9-24 CR2
3100
8x Opteron 2378  2400 MHz  Tyan Thunder n3600R  nForcePro-3600  Unganged Quad DDR2-800R  6-6-6-18 CR1
2937
4x Core i7-1065G7 HT  2300 MHz  LG 17Z90N-V.AA76C  IcePointLP Int.  Dual LPDDR4-3200  22-22-22-52 CR1
2831
8x FX-8350  4000 MHz  Asus M5A99X Evo R2.0  AMD990X  Dual DDR3-1866  9-10-9-27 CR2
2642
8x FX-8150  3600 MHz  Asus M5A97  AMD970  Dual DDR3-1866  9-10-9-27 CR2
2589
8x Xeon L5320  1866 MHz  Intel S5000VCL  i5000V  Dual DDR2-533FB  4-4-4-12
2304
2x Core i5-650 HT  3200 MHz  Supermicro C7SIM-Q  Q57 Int.  Dual DDR3-1333  9-9-9-24 CR1
2266
4x Xeon X3430  2400 MHz  Supermicro X8SIL-F  i3420  Dual DDR3-1333  9-9-9-24 CR1
2221
4x Core 2 Extreme QX9650  3000 MHz  Gigabyte GA-EP35C-DS3R  P35  Dual DDR3-1066  8-8-8-20 CR2
2210
8x Opteron 2344 HE  1700 MHz  Supermicro H8DME-2  nForcePro-3600  Unganged Quad DDR2-667R  5-5-5-15 CR1
2042
8x Atom C2750  2400 MHz  Supermicro A1SAi-2750F  Avoton  Dual DDR3-1600  11-11-11-28 CR1
1934
4x Phenom II X4 Black 940  3000 MHz  Asus M3N78-EM  GeForce8300 Int.  Ganged Dual DDR2-800  5-5-5-18 CR2
1872
4x A8-3850  2900 MHz  Gigabyte GA-A75M-UD2H  A75 Int.  Dual DDR3-1333  9-9-9-24 CR1
1855
4x Core 2 Extreme QX6700  2666 MHz  Intel D975XBX2  i975X  Dual DDR2-667  5-5-5-15
1738
6x FX-6100  3300 MHz  Asus Sabertooth 990FX  AMD990FX  Dual DDR3-1866  9-10-9-27 CR2
1618
4x Xeon 5140  2333 MHz  Intel S5000VSA  i5000V  Dual DDR2-667FB  5-5-5-15
1575
4x A12-9800  3800 MHz  Gigabyte GA-AB350M-Gaming 3  B350 Int.  Dual DDR4-2400  14-16-16-31 CR1
1480
4x A10-7850K  3700 MHz  Gigabyte GA-F2A88XM-D3H  A88X Int.  Dual DDR3-2133  9-11-10-31 CR2
1478
4x A10-6800K  4100 MHz  Gigabyte GA-F2A85X-UP4  A85X Int.  Dual DDR3-2133  9-11-10-27 CR2
1420
4x Phenom X4 9500  2200 MHz  Asus M3A  AMD770  Ganged Dual DDR2-800  5-5-5-18 CR2
1377
4x A10-5800K  3800 MHz  Asus F2A55-M  A55 Int.  Dual DDR3-1866  9-10-9-27 CR2
1260
4x Athlon 5350  2050 MHz  ASRock AM1B-ITX  Yangtze Int.  DDR3-1600 SDRAM  11-11-11-28 CR2
1178
4x Opteron 2210 HE  1800 MHz  Tyan Thunder h2000M  BCM5785  Quad DDR2-600R  5-5-5-15 CR1
1167
4x Celeron J4105  1500 MHz  ASRock J4105-ITX  GeminiLakeD Int.  Dual DDR4-2400  17-17-17-39
1049
2x Athlon64 X2 Black 6400+  3200 MHz  MSI K9N SLI Platinum  nForce570SLI  Dual DDR2-800  4-4-4-11 CR1
1021
2x Core 2 Extreme X6800  2933 MHz  Abit AB9  P965  Dual DDR2-800  5-5-5-18 CR2
974
4x Celeron J3455  1500 MHz  ASRock J3455B-ITX  ApolloLakeD Int.  Dual DDR3-1866  11-11-11-32 CR1
959
2x Pentium EE 955 HT  3466 MHz  Intel D955XBK  i955X  Dual DDR2-667  4-4-4-11
945
4x Celeron J1900  2000 MHz  Gigabyte GA-J1900N-D3V  BayTrailD Int.  Dual DDR3-1333  9-9-9-24 CR1
942
2x Xeon HT  3400 MHz  Intel SE7320SP2  iE7320  Dual DDR333R  2.5-3-3-7
810
4x Celeron N3150  1600 MHz  ASRock N3150B-ITX  Braswell Int.  Dual DDR3-1600  11-11-11-28 CR2
516
P4EE HT  3733 MHz  Intel SE7230NH1LX  iE7230  Dual DDR2-667  5-5-5-15
503
2x E-350  1600 MHz  ASRock E350M1  A50M Int.  DDR3-1066 SDRAM  8-8-8-20 CR1
463
2x Atom D525 HT  1800 MHz  Gigabyte GA-D525TUD  NM10 Int.  DDR3-800 SDRAM  6-6-6-15 CR2
452
2x Pentium D 820  2800 MHz  Abit Fatal1ty F-I90HD  RS600 Int.  Dual DDR2-800  5-5-5-18 CR2
359
Opteron 248  2200 MHz  MSI K8T Master1-FAR  K8T800  Dual DDR266R  2-3-3-6 CR1
327
Athlon64 3200+  2000 MHz  ASRock 939S56-M  SiS756  Dual DDR400  2.5-3-3-8 CR2
284
Nano X2 L4350  1600 MHz  VIA EPIA-M900  VX900H Int.  DDR3-1066 SDRAM  7-7-7-20 CR2
277
Celeron 420  1600 MHz  Intel DQ965GF  Q965 Int.  Dual DDR2-667  5-5-5-15
262
Sempron 2600+  1600 MHz  ASRock K8NF4G-SATA2  GeForce6100 Int.  DDR400 SDRAM  2.5-3-3-8 CR2
261
2x Atom D2500  1866 MHz  Intel D2500CC  NM10 Int.  DDR3-1066 SDRAM  7-7-7-20 CR2
205
Atom 230 HT  1600 MHz  Intel D945GCLF  i945GC Int.  DDR2-533 SDRAM  4-4-4-12
202
Celeron D 326  2533 MHz  ASRock 775Twins-HDTV  RC410 Ext.  DDR2-533 SDRAM  4-4-4-11 CR2
131
Nano L2200  1600 MHz  VIA VB8001  CN896 Int.  DDR2-667 SDRAM  5-5-5-15 CR2


FP32 Ray-Trace

 
CPU  CPU Clock  Motherboard  Chipset  Memory  CL-RCD-RP-RAS
57482 KRay/s
32x Ryzen Threadripper 3970X HT  3800 MHz  Gigabyte TRX40 Aorus Xtreme  TRX40  Quad DDR4-3200  16-18-18-36 CR1
27881 KRay/s
16x Ryzen 9 3950X HT  3500 MHz  Gigabyte X570 Aorus Pro WiFi  X570  Dual DDR4-3600  16-16-16-36 CR1
27293 KRay/s
32x Ryzen Threadripper 2990WX HT  3000 MHz  MSI MEG X399 Creation  X399  Quad DDR4-2933  16-18-18-38 CR1
18503 KRay/s
20x Xeon E5-2660 v3 HT  2600 MHz  Supermicro X10DRi  C612  Octal DDR4-1866  13-13-13-31 CR1
15902 KRay/s
6x Core i7-7800X HT  3500 MHz  Gigabyte X299 UD4  X299  Quad DDR4-2667  15-17-17-35 CR2
11818 KRay/s
6x Core i7-8700K HT  3700 MHz  Gigabyte Z370 Aorus Gaming 7  Z370 Int.  Dual DDR4-2667  16-18-18-38 CR2
11356 KRay/s
16x Xeon E5-2670 HT  2600 MHz  Supermicro X9DR6-F  C600  Octal DDR3-1333  9-9-9-24 CR1
8389 KRay/s
8x Ryzen 7 2700X HT  3700 MHz  Asus Crosshair VII Hero  X470  Dual DDR4-2933  16-20-21-49 CR1
8264 KRay/s
4x Core i7-7700K HT  4200 MHz  ASRock Z270 Extreme4  Z270 Ext.  Dual DDR4-2133  15-15-15-36 CR2
7481 KRay/s
6x Core i7-6850K HT  3600 MHz  Asus Strix X99 Gaming  X99  Quad DDR4-2400  16-16-16-39 CR2
7408 KRay/s
8x Ryzen 7 1800X HT  3600 MHz  Asus Crosshair VI Hero  X370  Dual DDR4-2667  16-17-17-35 CR1
7282 KRay/s
6x Core i7-5820K HT  3300 MHz  Gigabyte GA-X99-UD4  X99  Quad DDR4-2133  15-15-15-36 CR2
7266 KRay/s
4x Core i7-6700K HT  4000 MHz  Gigabyte GA-Z170X-UD3  Z170 Int.  Dual DDR4-2133  14-14-14-35 CR2
5988 KRay/s
32x Opteron 6274  2200 MHz  Supermicro H8DGI-F  SR5690  Octal DDR3-1600R  11-11-11-28 CR1
5195 KRay/s
6x Core i7-4930K HT  3400 MHz  Gigabyte GA-X79-UD3  X79  Quad DDR3-1866  9-10-9-27 CR2
5054 KRay/s
4x Core i7-4770 HT  3400 MHz  Intel DZ87KLT-75K  Z87 Int.  Dual DDR3-1600  9-9-9-27 CR2
4853 KRay/s
6x Core i7-3960X Extreme HT  3300 MHz  Intel DX79SI  X79  Quad DDR3-1600  9-9-9-24 CR2
4789 KRay/s
4x Core i7-5775C HT  3300 MHz  Gigabyte GA-Z97MX-Gaming 5  Z97 Int.  Dual DDR3-1600  11-11-11-28 CR1
3767 KRay/s
4x Core i7-1065G7 HT  1700 MHz  LG 17Z90N-V.AA76C  IcePointLP Int.  Dual LPDDR4-3200  22-22-22-52 CR1
3691 KRay/s
4x Ryzen 5 2400G HT  3600 MHz  ASRock A320M Pro4  A320  Dual DDR4-2933  16-15-15-35 CR1
3562 KRay/s
4x Core i7-3770K HT  3500 MHz  MSI Z77A-GD55  Z77 Int.  Dual DDR3-1600  9-9-9-24 CR2
3360 KRay/s
4x Core i7-2600 HT  3400 MHz  Asus P8P67  P67  Dual DDR3-1333  9-9-9-24 CR1
2868 KRay/s
12x Opteron 2431  2400 MHz  Supermicro H8DI3+-F  SR5690  Unganged Quad DDR2-800R  6-6-6-18 CR1
2653 KRay/s
6x Core i7-990X Extreme HT  3466 MHz  Intel DX58SO2  X58  Triple DDR3-1333  9-9-9-24 CR1
2599 KRay/s
8x FX-8350  4000 MHz  Asus M5A99X Evo R2.0  AMD990X  Dual DDR3-1866  9-10-9-27 CR2
2559 KRay/s
8x Xeon X5550 HT  2666 MHz  Supermicro X8DTN+  i5520  Hexa DDR3-1333  9-9-9-24 CR1
2556 KRay/s
16x Atom C3958  2000 MHz  Supermicro A2SDi-H-TP4F  Denverton  Dual DDR4-2400  17-17-17-39
2541 KRay/s
8x FX-8150  3600 MHz  Asus M5A97  AMD970  Dual DDR3-1866  9-10-9-27 CR2
2182 KRay/s
8x Xeon E5462  2800 MHz  Intel S5400SF  i5400  Quad DDR2-640FB  5-5-5-15
1982 KRay/s
6x Phenom II X6 Black 1100T  3300 MHz  Gigabyte GA-890GPA-UD3H v2  AMD890GX Int.  Unganged Dual DDR3-1333  9-9-9-24 CR2
1911 KRay/s
8x Opteron 2378  2400 MHz  Tyan Thunder n3600R  nForcePro-3600  Unganged Quad DDR2-800R  6-6-6-18 CR1
1642 KRay/s
6x FX-6100  3300 MHz  Asus Sabertooth 990FX  AMD990FX  Dual DDR3-1866  9-10-9-27 CR2
1629 KRay/s
4x Core i7-965 Extreme HT  3200 MHz  Asus P6T Deluxe  X58  Triple DDR3-1333  9-9-9-24 CR1
1546 KRay/s
4x A12-9800  3800 MHz  Gigabyte GA-AB350M-Gaming 3  B350 Int.  Dual DDR4-2400  14-16-16-31 CR1
1379 KRay/s
4x A10-7850K  3700 MHz  Gigabyte GA-F2A88XM-D3H  A88X Int.  Dual DDR3-2133  9-11-10-31 CR2
1369 KRay/s
4x A10-6800K  4100 MHz  Gigabyte GA-F2A85X-UP4  A85X Int.  Dual DDR3-2133  9-11-10-27 CR2
1313 KRay/s
8x Xeon L5320  1866 MHz  Intel S5000VCL  i5000V  Dual DDR2-533FB  4-4-4-12
1252 KRay/s
4x A10-5800K  3800 MHz  Asus F2A55-M  A55 Int.  Dual DDR3-1866  9-10-9-27 CR2
1215 KRay/s
8x Opteron 2344 HE  1700 MHz  Supermicro H8DME-2  nForcePro-3600  Unganged Quad DDR2-667R  5-5-5-15 CR1
1212 KRay/s
8x Atom C2750  2400 MHz  Supermicro A1SAi-2750F  Avoton  Dual DDR3-1600  11-11-11-28 CR1
1175 KRay/s
4x Core 2 Extreme QX9650  3000 MHz  Gigabyte GA-EP35C-DS3R  P35  Dual DDR3-1066  8-8-8-20 CR2
1161 KRay/s
4x Phenom II X4 Black 940  3000 MHz  Asus M3N78-EM  GeForce8300 Int.  Ganged Dual DDR2-800  5-5-5-18 CR2
1129 KRay/s
4x Xeon X3430  2400 MHz  Supermicro X8SIL-F  i3420  Dual DDR3-1333  9-9-9-24 CR1
1104 KRay/s
4x A8-3850  2900 MHz  Gigabyte GA-A75M-UD2H  A75 Int.  Dual DDR3-1333  9-9-9-24 CR1
978 KRay/s
4x Celeron J4105  1500 MHz  ASRock J4105-ITX  GeminiLakeD Int.  Dual DDR4-2400  17-17-17-39
976 KRay/s
4x Core 2 Extreme QX6700  2666 MHz  Intel D975XBX2  i975X  Dual DDR2-667  5-5-5-15
850 KRay/s
4x Xeon 5140  2333 MHz  Intel S5000VSA  i5000V  Dual DDR2-667FB  5-5-5-15
801 KRay/s
2x Core i5-650 HT  3200 MHz  Supermicro C7SIM-Q  Q57 Int.  Dual DDR3-1333  9-9-9-24 CR1
788 KRay/s
4x Phenom X4 9500  2200 MHz  Asus M3A  AMD770  Ganged Dual DDR2-800  5-5-5-18 CR2
782 KRay/s
4x Celeron J3455  1500 MHz  ASRock J3455B-ITX  ApolloLakeD Int.  Dual DDR3-1866  11-11-11-32 CR1
774 KRay/s
4x Athlon 5350  2050 MHz  ASRock AM1B-ITX  Yangtze Int.  DDR3-1600 SDRAM  11-11-11-28 CR2
570 KRay/s
4x Celeron J1900  2000 MHz  Gigabyte GA-J1900N-D3V  BayTrailD Int.  Dual DDR3-1333  9-9-9-24 CR1
526 KRay/s
2x Core 2 Extreme X6800  2933 MHz  Abit AB9  P965  Dual DDR2-800  5-5-5-18 CR2
523 KRay/s
4x Celeron N3150  1600 MHz  ASRock N3150B-ITX  Braswell Int.  Dual DDR3-1600  11-11-11-28 CR2
370 KRay/s
2x Pentium EE 955 HT  3466 MHz  Intel D955XBK  i955X  Dual DDR2-667  4-4-4-11
354 KRay/s
2x Xeon HT  3400 MHz  Intel SE7320SP2  iE7320  Dual DDR333R  2.5-3-3-7
319 KRay/s
4x Opteron 2210 HE  1800 MHz  Tyan Thunder h2000M  BCM5785  Quad DDR2-600R  5-5-5-15 CR1
299 KRay/s
2x Athlon64 X2 Black 6400+  3200 MHz  MSI K9N SLI Platinum  nForce570SLI  Dual DDR2-800  4-4-4-11 CR1
272 KRay/s
2x Pentium D 820  2800 MHz  Abit Fatal1ty F-I90HD  RS600 Int.  Dual DDR2-800  5-5-5-18 CR2
268 KRay/s
Nano X2 L4350  1600 MHz  VIA EPIA-M900  VX900H Int.  DDR3-1066 SDRAM  7-7-7-20 CR2
213 KRay/s
2x Atom D525 HT  1800 MHz  Gigabyte GA-D525TUD  NM10 Int.  DDR3-800 SDRAM  6-6-6-15 CR2
203 KRay/s
P4EE HT  3733 MHz  Intel SE7230NH1LX  iE7230  Dual DDR2-667  5-5-5-15
165 KRay/s
2x Atom D2500  1866 MHz  Intel D2500CC  NM10 Int.  DDR3-1066 SDRAM  7-7-7-20 CR2
145 KRay/s
Celeron 420  1600 MHz  Intel DQ965GF  Q965 Int.  Dual DDR2-667  5-5-5-15
130 KRay/s
2x E-350  1600 MHz  ASRock E350M1  A50M Int.  DDR3-1066 SDRAM  8-8-8-20 CR1
123 KRay/s
Celeron D 326  2533 MHz  ASRock 775Twins-HDTV  RC410 Ext.  DDR2-533 SDRAM  4-4-4-11 CR2
117 KRay/s
Nano L2200  1600 MHz  VIA VB8001  CN896 Int.  DDR2-667 SDRAM  5-5-5-15 CR2
105 KRay/s
Opteron 248  2200 MHz  MSI K8T Master1-FAR  K8T800  Dual DDR266R  2-3-3-6 CR1
95 KRay/s
Atom 230 HT  1600 MHz  Intel D945GCLF  i945GC Int.  DDR2-533 SDRAM  4-4-4-12
92 KRay/s
Athlon64 3200+  2000 MHz  ASRock 939S56-M  SiS756  Dual DDR400  2.5-3-3-8 CR2
70 KRay/s
Sempron 2600+  1600 MHz  ASRock K8NF4G-SATA2  GeForce6100 Int.  DDR400 SDRAM  2.5-3-3-8 CR2


FP64 Ray-Trace

 
CPU  CPU Clock  Motherboard  Chipset  Memory  CL-RCD-RP-RAS
31857 KRay/s
32x Ryzen Threadripper 3970X HT  3800 MHz  Gigabyte TRX40 Aorus Xtreme  TRX40  Quad DDR4-3200  16-18-18-36 CR1
15318 KRay/s
16x Ryzen 9 3950X HT  3500 MHz  Gigabyte X570 Aorus Pro WiFi  X570  Dual DDR4-3600  16-16-16-36 CR1
13887 KRay/s
32x Ryzen Threadripper 2990WX HT  3000 MHz  MSI MEG X399 Creation  X399  Quad DDR4-2933  16-18-18-38 CR1
10033 KRay/s
20x Xeon E5-2660 v3 HT  2600 MHz  Supermicro X10DRi  C612  Octal DDR4-1866  13-13-13-31 CR1
8839 KRay/s
6x Core i7-7800X HT  3500 MHz  Gigabyte X299 UD4  X299  Quad DDR4-2667  15-17-17-35 CR2
6425 KRay/s
6x Core i7-8700K HT  3700 MHz  Gigabyte Z370 Aorus Gaming 7  Z370 Int.  Dual DDR4-2667  16-18-18-38 CR2
5969 KRay/s
16x Xeon E5-2670 HT  2600 MHz  Supermicro X9DR6-F  C600  Octal DDR3-1333  9-9-9-24 CR1
4564 KRay/s
4x Core i7-7700K HT  4200 MHz  ASRock Z270 Extreme4  Z270 Ext.  Dual DDR4-2133  15-15-15-36 CR2
4187 KRay/s
8x Ryzen 7 2700X HT  3700 MHz  Asus Crosshair VII Hero  X470  Dual DDR4-2933  16-20-21-49 CR1
4132 KRay/s
6x Core i7-6850K HT  3600 MHz  Asus Strix X99 Gaming  X99  Quad DDR4-2400  16-16-16-39 CR2
4057 KRay/s
6x Core i7-5820K HT  3300 MHz  Gigabyte GA-X99-UD4  X99  Quad DDR4-2133  15-15-15-36 CR2
4011 KRay/s
4x Core i7-6700K HT  4000 MHz  Gigabyte GA-Z170X-UD3  Z170 Int.  Dual DDR4-2133  14-14-14-35 CR2
4000 KRay/s
8x Ryzen 7 1800X HT  3600 MHz  Asus Crosshair VI Hero  X370  Dual DDR4-2667  16-17-17-35 CR1
3256 KRay/s
32x Opteron 6274  2200 MHz  Supermicro H8DGI-F  SR5690  Octal DDR3-1600R  11-11-11-28 CR1
2807 KRay/s
6x Core i7-4930K HT  3400 MHz  Gigabyte GA-X79-UD3  X79  Quad DDR3-1866  9-10-9-27 CR2
2772 KRay/s
4x Core i7-4770 HT  3400 MHz  Intel DZ87KLT-75K  Z87 Int.  Dual DDR3-1600  9-9-9-27 CR2
2638 KRay/s
6x Core i7-3960X Extreme HT  3300 MHz  Intel DX79SI  X79  Quad DDR3-1600  9-9-9-24 CR2
2595 KRay/s
4x Core i7-5775C HT  3300 MHz  Gigabyte GA-Z97MX-Gaming 5  Z97 Int.  Dual DDR3-1600  11-11-11-28 CR1
1992 KRay/s
4x Core i7-1065G7 HT  1800 MHz  LG 17Z90N-V.AA76C  IcePointLP Int.  Dual LPDDR4-3200  22-22-22-52 CR1
1963 KRay/s
4x Ryzen 5 2400G HT  3600 MHz  ASRock A320M Pro4  A320  Dual DDR4-2933  16-15-15-35 CR1
1918 KRay/s
4x Core i7-3770K HT  3500 MHz  MSI Z77A-GD55  Z77 Int.  Dual DDR3-1600  9-9-9-24 CR2
1817 KRay/s
4x Core i7-2600 HT  3400 MHz  Asus P8P67  P67  Dual DDR3-1333  9-9-9-24 CR1
1559 KRay/s
12x Opteron 2431  2400 MHz  Supermicro H8DI3+-F  SR5690  Unganged Quad DDR2-800R  6-6-6-18 CR1
1457 KRay/s
6x Core i7-990X Extreme HT  3466 MHz  Intel DX58SO2  X58  Triple DDR3-1333  9-9-9-24 CR1
1388 KRay/s
8x FX-8350  4000 MHz  Asus M5A99X Evo R2.0  AMD990X  Dual DDR3-1866  9-10-9-27 CR2
1379 KRay/s
8x Xeon X5550 HT  2666 MHz  Supermicro X8DTN+  i5520  Hexa DDR3-1333  9-9-9-24 CR1
1367 KRay/s
16x Atom C3958  2000 MHz  Supermicro A2SDi-H-TP4F  Denverton  Dual DDR4-2400  17-17-17-39
1313 KRay/s
8x FX-8150  3600 MHz  Asus M5A97  AMD970  Dual DDR3-1866  9-10-9-27 CR2
1159 KRay/s
8x Xeon E5462  2800 MHz  Intel S5400SF  i5400  Quad DDR2-640FB  5-5-5-15
1039 KRay/s
8x Opteron 2378  2400 MHz  Tyan Thunder n3600R  nForcePro-3600  Unganged Quad DDR2-800R  6-6-6-18 CR1
1037 KRay/s
6x Phenom II X6 Black 1100T  3300 MHz  Gigabyte GA-890GPA-UD3H v2  AMD890GX Int.  Unganged Dual DDR3-1333  9-9-9-24 CR2
900 KRay/s
4x Core i7-965 Extreme HT  3200 MHz  Asus P6T Deluxe  X58  Triple DDR3-1333  9-9-9-24 CR1
874 KRay/s
6x FX-6100  3300 MHz  Asus Sabertooth 990FX  AMD990FX  Dual DDR3-1866  9-10-9-27 CR2
852 KRay/s
4x A12-9800  3800 MHz  Gigabyte GA-AB350M-Gaming 3  B350 Int.  Dual DDR4-2400  14-16-16-31 CR1
737 KRay/s
4x A10-6800K  4100 MHz  Gigabyte GA-F2A85X-UP4  A85X Int.  Dual DDR3-2133  9-11-10-27 CR2
724 KRay/s
8x Xeon L5320  1866 MHz  Intel S5000VCL  i5000V  Dual DDR2-533FB  4-4-4-12
717 KRay/s
4x A10-7850K  3700 MHz  Gigabyte GA-F2A88XM-D3H  A88X Int.  Dual DDR3-2133  9-11-10-31 CR2
671 KRay/s
4x A10-5800K  3800 MHz  Asus F2A55-M  A55 Int.  Dual DDR3-1866  9-10-9-27 CR2
669 KRay/s
8x Opteron 2344 HE  1700 MHz  Supermicro H8DME-2  nForcePro-3600  Unganged Quad DDR2-667R  5-5-5-15 CR1
626 KRay/s
4x Phenom II X4 Black 940  3000 MHz  Asus M3N78-EM  GeForce8300 Int.  Ganged Dual DDR2-800  5-5-5-18 CR2
623 KRay/s
4x A8-3850  2900 MHz  Gigabyte GA-A75M-UD2H  A75 Int.  Dual DDR3-1333  9-9-9-24 CR1
623 KRay/s
4x Xeon X3430  2400 MHz  Supermicro X8SIL-F  i3420  Dual DDR3-1333  9-9-9-24 CR1
616 KRay/s
4x Core 2 Extreme QX9650  3000 MHz  Gigabyte GA-EP35C-DS3R  P35  Dual DDR3-1066  8-8-8-20 CR2
539 KRay/s
4x Celeron J4105  1500 MHz  ASRock J4105-ITX  GeminiLakeD Int.  Dual DDR4-2400  17-17-17-39
534 KRay/s
4x Core 2 Extreme QX6700  2666 MHz  Intel D975XBX2  i975X  Dual DDR2-667  5-5-5-15
466 KRay/s
4x Xeon 5140  2333 MHz  Intel S5000VSA  i5000V  Dual DDR2-667FB  5-5-5-15
459 KRay/s
8x Atom C2750  2400 MHz  Supermicro A1SAi-2750F  Avoton  Dual DDR3-1600  11-11-11-28 CR1
452 KRay/s
4x Phenom X4 9500  2200 MHz  Asus M3A  AMD770  Ganged Dual DDR2-800  5-5-5-18 CR2
443 KRay/s
2x Core i5-650 HT  3200 MHz  Supermicro C7SIM-Q  Q57 Int.  Dual DDR3-1333  9-9-9-24 CR1
435 KRay/s
4x Athlon 5350  2050 MHz  ASRock AM1B-ITX  Yangtze Int.  DDR3-1600 SDRAM  11-11-11-28 CR2
428 KRay/s
4x Celeron J3455  1500 MHz  ASRock J3455B-ITX  ApolloLakeD Int.  Dual DDR3-1866  11-11-11-32 CR1
285 KRay/s
2x Core 2 Extreme X6800  2933 MHz  Abit AB9  P965  Dual DDR2-800  5-5-5-18 CR2
210 KRay/s
4x Celeron J1900  2000 MHz  Gigabyte GA-J1900N-D3V  BayTrailD Int.  Dual DDR3-1333  9-9-9-24 CR1
205 KRay/s
2x Pentium EE 955 HT  3466 MHz  Intel D955XBK  i955X  Dual DDR2-667  4-4-4-11
197 KRay/s
2x Xeon HT  3400 MHz  Intel SE7320SP2  iE7320  Dual DDR333R  2.5-3-3-7
193 KRay/s
4x Opteron 2210 HE  1800 MHz  Tyan Thunder h2000M  BCM5785  Quad DDR2-600R  5-5-5-15 CR1
185 KRay/s
4x Celeron N3150  1600 MHz  ASRock N3150B-ITX  Braswell Int.  Dual DDR3-1600  11-11-11-28 CR2
176 KRay/s
2x Athlon64 X2 Black 6400+  3200 MHz  MSI K9N SLI Platinum  nForce570SLI  Dual DDR2-800  4-4-4-11 CR1
138 KRay/s
2x Pentium D 820  2800 MHz  Abit Fatal1ty F-I90HD  RS600 Int.  Dual DDR2-800  5-5-5-18 CR2
120 KRay/s
Nano X2 L4350  1600 MHz  VIA EPIA-M900  VX900H Int.  DDR3-1066 SDRAM  7-7-7-20 CR2
109 KRay/s
P4EE HT  3733 MHz  Intel SE7230NH1LX  iE7230  Dual DDR2-667  5-5-5-15
79 KRay/s
2x E-350  1600 MHz  ASRock E350M1  A50M Int.  DDR3-1066 SDRAM  8-8-8-20 CR1
71 KRay/s
Celeron 420  1600 MHz  Intel DQ965GF  Q965 Int.  Dual DDR2-667  5-5-5-15
64 KRay/s
2x Atom D525 HT  1800 MHz  Gigabyte GA-D525TUD  NM10 Int.  DDR3-800 SDRAM  6-6-6-15 CR2
62 KRay/s
Celeron D 326  2533 MHz  ASRock 775Twins-HDTV  RC410 Ext.  DDR2-533 SDRAM  4-4-4-11 CR2
59 KRay/s
Opteron 248  2200 MHz  MSI K8T Master1-FAR  K8T800  Dual DDR266R  2-3-3-6 CR1
56 KRay/s
Nano L2200  1600 MHz  VIA VB8001  CN896 Int.  DDR2-667 SDRAM  5-5-5-15 CR2
54 KRay/s
Athlon64 3200+  2000 MHz  ASRock 939S56-M  SiS756  Dual DDR400  2.5-3-3-8 CR2
46 KRay/s
2x Atom D2500  1866 MHz  Intel D2500CC  NM10 Int.  DDR3-1066 SDRAM  7-7-7-20 CR2
43 KRay/s
Sempron 2600+  1600 MHz  ASRock K8NF4G-SATA2  GeForce6100 Int.  DDR400 SDRAM  2.5-3-3-8 CR2
28 KRay/s
Atom 230 HT  1600 MHz  Intel D945GCLF  i945GC Int.  DDR2-533 SDRAM  4-4-4-12


Debug - PCI

 
B00 D00 F00:  Intel Ice Lake-U 4C - Host Bridge/DRAM Controller
  
Offset 000:  86 80 12 8A 06 00 90 00 03 00 00 06 00 00 00 00
Offset 010:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Offset 020:  00 00 00 00 00 00 00 00 00 00 00 00 54 18 61 03
Offset 030:  00 00 00 00 E0 00 00 00 00 00 00 00 00 00 00 00
Offset 040:  01 10 DA FE 00 00 00 00 01 00 D1 FE 00 00 00 00
Offset 050:  C1 FE 00 00 91 00 00 00 C7 00 20 4D 01 00 00 48
Offset 060:  01 00 00 C0 00 00 00 00 01 00 DA FE 00 00 00 00
Offset 070:  08 02 00 01 00 04 00 00 00 00 00 00 88 06 00 00
Offset 080:  30 33 33 33 33 33 33 10 00 00 00 00 00 00 00 00
Offset 090:  08 02 00 01 00 04 00 00 1A 02 00 01 00 04 00 00
Offset 0A0:  01 00 00 00 04 00 00 00 01 00 C0 B2 04 00 00 00
Offset 0B0:  01 00 80 49 01 00 00 49 00 00 00 48 01 00 40 4D
Offset 0C0:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Offset 0D0:  1A 02 00 01 00 04 00 00 00 00 00 00 00 00 00 00
Offset 0E0:  09 00 10 01 30 60 04 F2 8C 00 04 16 49 00 5D 06
Offset 0F0:  00 00 00 00 19 0F 05 00 00 00 00 00 00 00 00 00
 
B00 D02 F00:  Intel Ice Lake-U GT2 64EU - Integrated Graphics Controller
  
Offset 000:  86 80 52 8A 07 04 10 00 07 00 00 03 00 00 00 00
Offset 010:  04 00 00 1C 60 00 00 00 0C 00 00 00 40 00 00 00
Offset 020:  01 20 00 00 00 00 00 00 00 00 00 00 54 18 61 03
Offset 030:  00 00 00 00 40 00 00 00 00 00 00 00 00 01 00 00
Offset 040:  09 70 0C 01 20 05 00 00 00 00 00 00 00 00 00 00
Offset 050:  C1 FE 00 00 91 00 00 00 00 00 00 00 00 00 00 00
Offset 060:  00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00
Offset 070:  10 AC 92 00 00 80 00 10 00 00 00 00 00 00 00 00
Offset 080:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Offset 090:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Offset 0A0:  00 00 00 00 00 00 00 00 00 00 00 00 05 D0 01 01
Offset 0B0:  0C F0 EF FE 53 49 00 00 00 00 00 00 00 00 00 00
Offset 0C0:  01 00 80 49 00 00 00 00 01 00 D9 FE 00 00 00 00
Offset 0D0:  01 00 22 00 00 00 00 00 00 00 00 00 00 00 00 00
Offset 0E0:  00 00 00 00 00 00 00 00 00 80 00 00 00 00 00 00
Offset 0F0:  C7 00 20 4D 00 00 00 00 00 00 00 00 18 E0 9E 3B
 
B00 D04 F00:  Intel Ice Lake - Dynamic Platform & Thermal Framework Processor Participant
  
Offset 000:  86 80 03 8A 06 00 90 00 03 00 80 11 00 00 00 00
Offset 010:  04 00 ED FF 7F 00 00 00 00 00 00 00 00 00 00 00
Offset 020:  00 00 00 00 00 00 00 00 00 00 00 00 54 18 61 03
Offset 030:  00 00 00 00 90 00 00 00 00 00 00 00 10 01 00 00
Offset 040:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Offset 050:  00 00 00 00 BF F4 00 00 00 00 00 00 00 00 00 00
Offset 060:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Offset 070:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Offset 080:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Offset 090:  05 D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Offset 0A0:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Offset 0B0:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Offset 0C0:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Offset 0D0:  01 E0 03 00 08 00 00 00 00 00 00 00 00 00 00 00
Offset 0E0:  09 00 0C 01 00 00 00 00 00 00 00 00 00 00 00 00
Offset 0F0:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
B00 D14 F00:  Intel Ice Point-LP PCH - USB 3.1 xHCI Host Controller
  
Offset 000:  86 80 ED 34 00 04 90 02 30 30 03 0C 00 00 80 00
Offset 010:  04 00 14 1D 60 00 00 00 00 00 00 00 00 00 00 00
Offset 020:  00 00 00 00 00 00 00 00 00 00 00 00 54 18 61 03
Offset 030:  00 00 00 00 70 00 00 00 00 00 00 00 00 01 00 00
Offset 040:  FD 01 30 00 08 C0 03 80 00 00 00 00 00 00 00 00
Offset 050:  7F 6D DC 0F 00 00 00 00 00 00 00 00 00 00 00 00
Offset 060:  31 60 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Offset 070:  01 80 C2 C1 0B 01 00 00 00 00 00 00 00 00 00 00
Offset 080:  05 90 86 00 0C F0 EF FE 00 00 00 00 81 49 00 00
Offset 090:  09 00 14 F0 10 00 40 01 00 00 00 00 C1 0A 08 00
Offset 0A0:  00 08 0E 00 00 20 00 00 8F 00 02 00 00 01 00 00
Offset 0B0:  99 00 00 00 00 00 00 00 00 00 00 00 60 03 00 00
Offset 0C0:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Offset 0D0:  03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Offset 0E0:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Offset 0F0:  00 00 00 00 00 00 00 00 B5 0F 30 01 12 00 00 00
 
B00 D14 F02:  Intel Ice Point-LP PCH - Shared SRAM
  
Offset 000:  86 80 EF 34 00 00 10 00 30 00 00 05 00 00 00 00
Offset 010:  04 80 17 1D 60 00 00 00 04 00 18 1D 60 00 00 00
Offset 020:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Offset 030:  00 00 00 00 80 00 00 00 00 00 00 00 FF 00 00 00
Offset 040:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Offset 050:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Offset 060:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Offset 070:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Offset 080:  01 00 03 00 08 00 00 00 00 00 00 00 00 00 00 00
Offset 090:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Offset 0A0:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Offset 0B0:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Offset 0C0:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Offset 0D0:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Offset 0E0:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Offset 0F0:  00 00 00 00 00 00 00 00 B5 0F 30 01 00 00 00 00
 
B00 D14 F03:  Intel Ice Point-LP PCH - WiFi Controller
  
Offset 000:  86 80 F0 34 06 04 10 00 30 00 80 02 00 00 80 00
Offset 010:  04 80 EE FF 7F 00 00 00 00 00 00 00 00 00 00 00
Offset 020:  00 00 00 00 00 00 00 00 00 00 00 00 86 80 74 00
Offset 030:  00 00 00 00 C8 00 00 00 00 00 00 00 00 01 00 00
Offset 040:  10 80 92 00 C0 0E 00 10 10 0C 10 00 00 00 00 00
Offset 050:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Offset 060:  00 00 00 00 12 08 08 00 05 04 00 00 00 00 00 00
Offset 070:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Offset 080:  11 00 0F 80 00 20 00 00 00 30 00 00 00 00 00 00
Offset 090:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Offset 0A0:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Offset 0B0:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Offset 0C0:  00 00 00 00 00 00 00 00 01 D0 23 C8 08 00 00 0D
Offset 0D0:  05 40 80 00 00 00 00 00 00 00 00 00 00 00 00 00
Offset 0E0:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Offset 0F0:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
B00 D15 F00:  Intel Ice Point-LP PCH - I2C Controller 0
  
Offset 000:  86 80 E8 34 06 00 10 00 30 00 80 0C 00 00 80 00
Offset 010:  04 40 EE FF 7F 00 00 00 00 00 00 00 00 00 00 00
Offset 020:  00 00 00 00 00 00 00 00 00 00 00 00 54 18 61 03
Offset 030:  00 00 00 00 80 00 00 00 00 00 00 00 10 01 00 00
Offset 040:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Offset 050:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Offset 060:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Offset 070:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Offset 080:  01 90 03 00 08 00 00 00 00 00 00 00 00 00 00 00
Offset 090:  09 00 14 F0 10 00 40 01 01 21 00 00 C1 24 00 00
Offset 0A0:  00 08 0F 00 00 00 00 00 00 00 00 00 00 00 00 00
Offset 0B0:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Offset 0C0:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Offset 0D0:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Offset 0E0:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Offset 0F0:  00 00 00 00 00 00 00 00 B5 0F 30 01 00 00 00 00
 
B00 D15 F01:  Intel Ice Point-LP PCH - I2C Controller 1
  
Offset 000:  86 80 E9 34 00 04 10 00 30 00 80 0C 00 00 80 00
Offset 010:  04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Offset 020:  00 00 00 00 00 00 00 00 00 00 00 00 54 18 61 03
Offset 030:  00 00 00 00 80 00 00 00 00 00 00 00 11 02 00 00
Offset 040:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Offset 050:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Offset 060:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Offset 070:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Offset 080:  01 90 03 00 0B 00 00 00 00 00 00 00 00 00 00 00
Offset 090:  09 00 14 F0 10 00 40 01 01 21 00 00 C1 24 00 00
Offset 0A0:  00 08 0F 00 00 00 00 00 00 00 00 00 00 00 00 00
Offset 0B0:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Offset 0C0:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Offset 0D0:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Offset 0E0:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Offset 0F0:  00 00 00 00 00 00 00 00 B5 0F 30 01 00 00 00 00
 
B00 D16 F00:  Intel Ice Point-LP PCH - HECI Controller 1
  
Offset 000:  86 80 E0 34 06 04 10 00 30 00 80 07 00 00 80 00
Offset 010:  04 50 EE FF 7F 00 00 00 00 00 00 00 00 00 00 00
Offset 020:  00 00 00 00 00 00 00 00 00 00 00 00 54 18 61 03
Offset 030:  00 00 00 00 50 00 00 00 00 00 00 00 00 01 00 00
Offset 040:  45 02 00 A0 00 00 00 80 06 05 F1 00 00 00 00 00
Offset 050:  01 8C 03 40 08 00 00 00 00 00 00 00 00 00 00 00
Offset 060:  20 00 00 00 04 40 00 00 00 00 00 00 00 00 40 40
Offset 070:  00 00 00 00 00 00 00 E0 00 00 00 00 00 00 00 00
Offset 080:  00 00 00 00 00 00 00 00 00 00 00 00 05 A4 81 00
Offset 090:  0C F0 EF FE 00 00 00 00 B5 49 00 00 00 00 00 00
Offset 0A0:  04 00 00 00 09 00 14 F0 10 00 40 01 00 00 00 00
Offset 0B0:  01 80 00 00 38 0D 0E 00 00 00 00 00 00 00 00 40
Offset 0C0:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Offset 0D0:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Offset 0E0:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Offset 0F0:  00 00 00 00 00 00 00 00 B5 0F 30 01 00 00 00 00
 
B00 D1D F00:  Intel Ice Point-LP PCH - PCI Express Root Port 9
  
Offset 000:  86 80 B0 34 06 04 10 00 30 00 04 06 00 00 81 00
Offset 010:  00 00 00 00 00 00 00 00 00 2B 2B 00 F0 00 00 20
Offset 020:  30 5A 30 5A F1 FF 01 00 00 00 00 00 00 00 00 00
Offset 030:  00 00 00 00 40 00 00 00 00 00 00 00 00 01 00 00
Offset 040:  10 80 42 01 01 80 00 00 20 00 10 00 43 48 72 09
Offset 050:  42 00 43 70 00 FD 44 00 00 00 40 01 08 00 00 00
Offset 060:  00 00 00 00 37 08 00 00 00 04 00 00 0E 00 00 00
Offset 070:  03 00 1F 00 00 00 00 00 00 00 00 00 00 00 00 00
Offset 080:  05 90 01 00 0C F0 EF FE 60 49 00 00 00 00 00 00
Offset 090:  0D A0 00 00 54 18 61 03 00 00 00 00 00 00 00 00
Offset 0A0:  01 00 03 C8 00 00 00 00 00 00 00 00 00 00 00 00
Offset 0B0:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Offset 0C0:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Offset 0D0:  11 10 00 07 42 18 00 00 08 00 9E 09 00 00 00 00
Offset 0E0:  00 F7 F3 00 46 88 46 88 16 80 12 00 00 00 00 00
Offset 0F0:  50 01 00 00 00 03 00 40 B5 0F 30 01 04 C0 00 01
 
B00 D1D F04:  Intel Ice Point-LP PCH - PCI Express Root Port 13
  
Offset 000:  86 80 B4 34 06 04 10 00 30 00 04 06 00 00 81 00
Offset 010:  00 00 00 00 00 00 00 00 00 2C 2C 00 F0 00 00 20
Offset 020:  20 5A 20 5A F1 FF 01 00 00 00 00 00 00 00 00 00
Offset 030:  00 00 00 00 40 00 00 00 00 00 00 00 00 01 00 00
Offset 040:  10 80 42 01 01 80 00 00 20 00 10 00 43 48 72 0D
Offset 050:  42 00 43 70 00 FD 64 00 00 00 40 01 08 00 00 00
Offset 060:  00 00 00 00 37 08 00 00 00 04 00 00 0E 00 00 00
Offset 070:  03 00 1F 00 00 00 00 00 00 00 00 00 00 00 00 00
Offset 080:  05 90 01 00 0C F0 EF FE 50 49 00 00 00 00 00 00
Offset 090:  0D A0 00 00 54 18 61 03 00 00 00 00 00 00 00 00
Offset 0A0:  01 00 03 C8 00 00 00 00 00 00 00 00 00 00 00 00
Offset 0B0:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Offset 0C0:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Offset 0D0:  11 10 00 07 42 18 00 00 08 00 9E 09 00 00 00 00
Offset 0E0:  00 F7 73 00 5D 8C 5D 8C 16 80 12 00 00 00 00 00
Offset 0F0:  50 01 00 00 00 03 00 40 B5 0F 30 01 04 C0 00 01
 
B00 D1E F00:  Intel Ice Point-LP PCH - UART Controller 0
  
Offset 000:  86 80 A8 34 00 04 10 00 30 00 80 07 00 00 80 00
Offset 010:  04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Offset 020:  00 00 00 00 00 00 00 00 00 00 00 00 54 18 61 03
Offset 030:  00 00 00 00 80 00 00 00 00 00 00 00 14 01 00 00
Offset 040:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Offset 050:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Offset 060:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Offset 070:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Offset 080:  01 90 03 00 0B 00 00 00 00 00 00 00 00 00 00 00
Offset 090:  09 00 14 F0 10 00 40 01 01 21 00 00 C1 24 00 00
Offset 0A0:  00 08 0F 00 00 00 00 00 00 00 00 00 00 00 00 00
Offset 0B0:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Offset 0C0:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Offset 0D0:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Offset 0E0:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Offset 0F0:  00 00 00 00 00 00 00 00 B5 0F 30 01 00 00 00 00
 
B00 D1E F03:  Intel Ice Point-LP PCH - GSPI Controller 1
  
Offset 000:  86 80 AB 34 00 04 10 00 30 00 80 0C 00 00 80 00
Offset 010:  04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Offset 020:  00 00 00 00 00 00 00 00 00 00 00 00 54 18 61 03
Offset 030:  00 00 00 00 80 00 00 00 00 00 00 00 17 04 00 00
Offset 040:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Offset 050:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Offset 060:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Offset 070:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Offset 080:  01 90 03 00 0B 00 00 00 00 00 00 00 00 00 00 00
Offset 090:  09 00 14 F0 10 00 40 01 01 21 00 00 C1 24 00 00
Offset 0A0:  00 08 0F 00 00 00 00 00 00 00 00 00 00 00 00 00
Offset 0B0:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Offset 0C0:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Offset 0D0:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Offset 0E0:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Offset 0F0:  00 00 00 00 00 00 00 00 B5 0F 30 01 00 00 00 00
 
B00 D1F F00:  Intel Ice Point-LP PCH Premium - eSPI Controller [D0]
  
Offset 000:  86 80 82 34 07 04 00 00 30 00 01 06 00 00 80 00
Offset 010:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Offset 020:  00 00 00 00 00 00 00 00 00 00 00 00 54 18 61 03
Offset 030:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Offset 040:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Offset 050:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Offset 060:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Offset 070:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Offset 080:  10 00 0F 3F 81 06 0C 00 41 16 0C 00 A1 06 0C 00
Offset 090:  81 00 0C 00 10 2F 00 00 00 00 00 00 00 00 00 00
Offset 0A0:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Offset 0B0:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Offset 0C0:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Offset 0D0:  00 00 00 00 00 00 00 00 CF FF 00 00 A6 00 00 00
Offset 0E0:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Offset 0F0:  00 00 00 00 00 00 00 00 B5 0F 30 01 00 00 00 00
 
B00 D1F F03:  Intel Ice Point-LP PCH - cAVS (Audio, Voice, Speech)
  
Offset 000:  86 80 C8 34 06 00 10 00 30 00 03 04 00 00 00 00
Offset 010:  04 C0 EE FF 7F 00 00 00 00 00 00 00 00 00 00 00
Offset 020:  04 00 F0 FF 7F 00 00 00 00 00 00 00 54 18 61 03
Offset 030:  00 00 00 00 50 00 00 00 00 00 00 00 10 01 00 00
Offset 040:  00 00 00 00 00 00 00 00 FF 09 7B 00 00 00 00 00
Offset 050:  01 80 43 C0 08 00 00 00 00 00 00 00 00 00 00 00
Offset 060:  05 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00
Offset 070:  10 00 91 00 00 00 00 10 00 28 10 00 00 00 00 00
Offset 080:  09 60 14 F0 10 00 40 01 00 00 00 00 A1 04 01 00
Offset 090:  00 08 28 00 00 00 00 00 00 00 00 00 00 00 00 00
Offset 0A0:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Offset 0B0:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Offset 0C0:  02 06 02 30 00 60 80 04 00 0C A5 82 10 00 03 00
Offset 0D0:  00 0C B5 02 10 00 03 00 00 00 00 00 00 00 00 00
Offset 0E0:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Offset 0F0:  00 00 00 00 00 00 00 00 B5 0F 30 01 00 00 00 00
 
B00 D1F F04:  Intel Ice Point-LP PCH - SMBus Controller
  
Offset 000:  86 80 A3 34 00 00 80 02 30 00 05 0C 00 00 00 00
Offset 010:  04 A0 17 1D 60 00 00 00 00 00 00 00 00 00 00 00
Offset 020:  A1 EF 00 00 00 00 00 00 00 00 00 00 54 18 61 03
Offset 030:  00 00 00 00 00 00 00 00 00 00 00 00 FF 01 00 00
Offset 040:  11 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Offset 050:  01 04 00 00 01 01 00 00 00 00 00 00 00 00 00 00
Offset 060:  04 05 05 00 00 00 0A 0A 00 00 00 00 00 00 00 00
Offset 070:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Offset 080:  24 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Offset 090:  00 00 21 01 00 0C 00 00 1F 00 20 01 00 0C 00 00
Offset 0A0:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Offset 0B0:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Offset 0C0:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Offset 0D0:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Offset 0E0:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Offset 0F0:  00 00 00 00 00 00 00 00 B5 0F 30 01 00 00 00 00
 
B00 D1F F05:  Intel Ice Point-LP PCH - SPI (Flash) Controller
  
Offset 000:  86 80 A4 34 02 04 00 00 30 00 80 0C 00 00 00 00
Offset 010:  00 00 01 FE 00 00 00 00 00 00 00 00 00 00 00 00
Offset 020:  00 00 00 00 00 00 00 00 00 00 00 00 54 18 61 03
Offset 030:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Offset 040:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Offset 050:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Offset 060:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Offset 070:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Offset 080:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Offset 090:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Offset 0A0:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Offset 0B0:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Offset 0C0:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Offset 0D0:  00 00 00 00 00 00 00 00 CF FF 00 00 AA 08 00 00
Offset 0E0:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Offset 0F0:  00 00 00 00 00 00 00 00 B5 0F 30 01 00 00 00 00
 
B2B D00 F00:  Samsung NVMe SSD Controller
  
Offset 000:  4D 14 08 A8 06 04 10 00 00 02 08 01 00 00 00 00
Offset 010:  04 00 30 5A 00 00 00 00 00 00 00 00 00 00 00 00
Offset 020:  00 00 00 00 00 00 00 00 00 00 00 00 4D 14 01 A8
Offset 030:  00 00 00 00 40 00 00 00 00 00 00 00 00 01 00 00
Offset 040:  01 50 03 00 08 00 00 00 00 00 00 00 00 00 00 00
Offset 050:  05 70 8A 00 00 00 00 00 00 00 00 00 00 00 00 00
Offset 060:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Offset 070:  10 B0 02 00 C1 8F E8 17 30 20 09 00 43 78 47 00
Offset 080:  42 01 43 10 00 00 00 00 00 00 00 00 00 00 00 00
Offset 090:  00 00 00 00 1F 08 00 00 00 04 00 00 0E 00 00 00
Offset 0A0:  03 00 1E 00 00 00 00 00 00 00 00 00 00 00 00 00
Offset 0B0:  11 00 20 80 00 30 00 00 00 20 00 00 00 00 00 00
Offset 0C0:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Offset 0D0:  03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Offset 0E0:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Offset 0F0:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
B2C D00 F00:  Realtek RTS5763DL PCIe 3.0 x4 NVMe 1.3 SSD Controller
  
Offset 000:  EC 10 63 57 06 04 10 00 01 02 08 01 00 00 00 00
Offset 010:  04 00 20 5A 00 00 00 00 00 00 00 00 00 00 00 00
Offset 020:  00 00 00 00 00 40 20 5A 00 00 00 00 EC 10 63 57
Offset 030:  00 00 00 00 40 00 00 00 00 00 00 00 00 01 00 00
Offset 040:  01 50 03 00 08 00 00 00 00 00 00 00 00 00 00 00
Offset 050:  05 70 86 00 00 00 00 00 00 00 00 00 00 00 00 00
Offset 060:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Offset 070:  10 B0 02 00 C2 8F E8 17 30 20 09 00 43 78 47 00
Offset 080:  42 01 43 10 00 00 00 00 00 00 00 00 00 00 00 00
Offset 090:  00 00 00 00 10 08 0C 00 00 04 00 00 0E 00 00 00
Offset 0A0:  03 00 1E 00 00 00 00 00 00 00 00 00 00 00 00 00
Offset 0B0:  11 00 07 80 00 20 00 00 00 30 00 00 00 00 00 00
Offset 0C0:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Offset 0D0:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Offset 0E0:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Offset 0F0:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
PCI-8086-8A12:  Intel SNB/IVB/HSW/CRW/BDW/SKL/KBL/CFL/WHL/CNL/CML/ICL/RKL/TGL MCHBAR
  
Offset 4000:  16 68 0C 30 30 2B C1 02 00 00 00 00 08 04 08 0A
Offset 4010:  0C 0C 0C 0C 26 1E 06 06 08 04 08 08 00 00 00 00
Offset 4020:  2B 19 19 19 19 19 19 19 00 00 00 00 04 00 20 06
 
PCI-8086-8A12:  Intel SNB/IVB/HSW/CRW/BDW/SKL/KBL/CFL/WHL/CNL/CML/ICL/RKL/TGL MCHBAR
  
Offset 4200:  00 00 00 00 0F 00 00 00 00 00 00 00 00 00 00 00
Offset 4210:  00 0D 20 01 00 00 00 00 00 00 00 00 00 00 00 00
Offset 4220:  00 00 00 00 03 03 03 03 01 01 01 01 00 00 00 00
Offset 4230:  10 02 21 20 10 02 21 64 40 98 02 D8 C0 30 70 03
Offset 4240:  00 04 00 62 00 40 00 00 80 00 02 00 F8 08 00 00
Offset 4250:  00 00 00 00 01 00 00 00 00 1C 00 00 00 00 00 00
Offset 4260:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Offset 4270:  00 00 00 00 FF FF FF FF 03 00 00 00 00 00 00 00
Offset 4280:  10 02 21 20 10 02 21 64 11 00 70 01 04 04 03 02
Offset 4290:  C6 00 00 00 4F 00 00 00 4F 00 00 00 4F 00 00 00
Offset 42A0:  4F 00 00 00 4F 00 00 00 4F 00 00 00 4F 00 00 00
 
PCI-8086-8A12:  Intel SNB/IVB/HSW/CRW/BDW/SKL/KBL/CFL/WHL/CNL/CML/ICL/RKL/TGL MCHBAR
  
Offset 4400:  16 68 0C 30 30 2B C1 02 00 00 00 00 08 04 08 0A
Offset 4410:  0C 0C 0C 0C 26 1E 06 06 08 04 08 08 00 00 00 00
Offset 4420:  28 19 19 19 19 19 19 19 00 00 00 00 04 00 20 06
 
PCI-8086-8A12:  Intel SNB/IVB/HSW/CRW/BDW/SKL/KBL/CFL/WHL/CNL/CML/ICL/RKL/TGL MCHBAR
  
Offset 4600:  00 00 00 00 0F 00 00 00 00 00 00 00 00 00 00 00
Offset 4610:  05 0D 20 01 00 00 00 00 00 00 00 00 00 00 00 00
Offset 4620:  00 00 00 00 03 03 03 03 00 01 01 01 00 00 00 00
Offset 4630:  10 02 21 20 10 02 21 64 40 98 02 D8 C0 30 70 03
Offset 4640:  00 04 00 62 00 40 00 00 80 00 02 00 F8 08 00 00
Offset 4650:  00 00 00 00 01 00 00 00 00 1C 00 00 00 00 00 00
Offset 4660:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Offset 4670:  00 00 00 00 FF FF FF FF 03 00 00 00 00 00 00 00
Offset 4680:  10 02 21 20 10 02 21 64 11 00 70 01 04 04 03 02
Offset 4690:  C6 00 00 00 4F 00 00 00 4F 00 00 00 4F 00 00 00
Offset 46A0:  4F 00 00 00 4F 00 00 00 4F 00 00 00 4F 00 00 00
 
PCI-8086-8A12:  Intel SNB/IVB/HSW/CRW/BDW/SKL/KBL/CFL/WHL/CNL/CML/ICL/RKL/TGL MCHBAR
  
Offset 4800:  00 30 00 00 00 30 00 00 00 30 00 00 00 30 00 00
Offset 4810:  00 30 00 00 00 30 00 00 00 30 00 00 00 30 00 00
 
PCI-8086-8A12:  Intel SNB/IVB/HSW/CRW/BDW/SKL/KBL/CFL/WHL/CNL/CML/ICL/RKL/TGL MCHBAR
  
Offset 4A80:  00 30 00 00 00 30 00 00 00 30 00 00 00 30 00 00
Offset 4A90:  00 30 00 00 00 30 00 00 00 30 00 00 00 30 00 00
 
PCI-8086-8A12:  Intel SNB/IVB/HSW/CRW/BDW/SKL/KBL/CFL/WHL/CNL/CML/ICL/RKL/TGL MCHBAR
  
Offset 5000:  00 00 01 00 10 01 00 00 10 01 00 00 10 00 00 00
Offset 5010:  90 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00
 
PCI-8086-8A12:  Intel SNB/IVB/HSW/CRW/BDW/SKL/KBL/CFL/WHL/CNL/CML/ICL/RKL/TGL MCHBAR
  
Offset 5880:  60 01 00 00 03 00 00 00 00 00 00 00 00 00 00 00
Offset 5890:  FF FF 00 00 FF FF 00 00 FF FF 00 00 FF FF 00 00
Offset 58A0:  00 00 00 00 07 00 00 00 00 00 00 00 00 00 00 00
Offset 58B0:  00 00 00 00 00 00 00 00 00 00 00 00 7F 00 00 00
Offset 58C0:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Offset 58D0:  FF FF 00 00 FF FF 00 00 FF FF 00 00 FF FF 00 00
Offset 58E0:  00 00 00 00 DE 00 54 00 00 00 00 00 00 00 00 00
Offset 58F0:  00 00 00 00 00 00 00 00 E2 27 00 00 00 00 02 15
Offset 5900:  00 00 00 01 00 00 00 01 00 00 00 00 02 00 00 00
Offset 5910:  00 00 00 00 00 00 00 00 30 08 00 12 20 1A 18 00
Offset 5920:  0D 00 00 00 0D 00 00 00 67 90 F1 03 21 F1 1A 00
Offset 5930:  78 00 00 00 00 00 00 00 03 0E 0A 00 80 5F CC 05
Offset 5940:  40 FC 03 D1 8B 00 01 00 00 00 00 00 00 00 00 00
Offset 5950:  00 00 00 00 00 00 1C 00 00 0F 81 F1 3C 04 04 00
Offset 5960:  2E 76 F8 02 00 00 00 00 A4 1B 01 83 26 8D 32 B4
Offset 5970:  00 00 00 00 38 D5 38 BC 45 00 00 00 44 00 00 00
Offset 5980:  43 00 00 00 4D BD CF 68 00 00 00 00 00 00 00 00
Offset 5990:  00 00 00 00 16 00 00 00 16 06 06 00 00 00 64 0A
Offset 59A0:  60 80 1F 00 70 81 42 00 00 00 00 00 00 00 00 00
Offset 59B0:  28 03 00 00 00 00 00 00 00 04 00 00 00 00 00 00
Offset 59C0:  00 00 21 88 00 00 00 00 00 00 00 00 00 00 00 00
 
PCI-8086-8A12:  Intel SNB/IVB/HSW/CRW/BDW/SKL/KBL/CFL/WHL/CNL/CML/ICL/RKL/TGL MCHBAR
  
Offset 5E00:  0C 00 01 00 0C 00 01 00 00 00 00 00 00 00 00 00
Offset 5E10:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00


Debug - Video BIOS

 
C000:0000  6.MH....i.i.i.i.6.M@....k.k.k.k.6.M.....c.c.c.c.....p...c.c.c.c.
C000:0040  .[i.# ...G.5L....[h.. ...w.5@.....H....4.7.eHL....H....4.7.e.Lm.
C000:0080  YxXxXx\x.. "rh[.\x\x\x\x..!.sHZ.\.\.\.\...1.cHK...........1.cHJ.
C000:00C0  t.l...&..u.._'.?v.n...$..U.6]...v.n...$..U.6M...v.n...$.YUA6....
C000:0100  .;..w.%..........+..w.%..........+..W............+....E.........
C000:0140  f$4n....|....{..g45~....|.. .[..o4=~....|W.....f.4.~....|W.....f
C000:0180  ....x..*.u...?.\.;..x....U.....|.{..p..J....._.<.z..p..KO.,.._.<
C000:01C0  L6/..|.......7N}N.-..\.?.....7N}n...<\$?.....wN=.....\.?.....vN<
C000:0200  ].&...Ed...-J5)\.'...Dt~...,Z49T./...Lt~P..,.4y..o....t~Q..,.4x
C000:0240  Q......G>Lte....S......W<lvE....C......W,.f..Q..C......Vl.&..Q..
C000:0280  S..^K.0o.;..4#.XQ..~I.2O.;..0#.Xq..>i....{...c..q..>i....{...c..
C000:02C0  D.'6....5...-nV.D.'.....1...)nR.d...6........nr.d...6........or.
C000:0300  .....@....sk..j......P....vk..o....m......V..V.....m........9V..
C000:0340  ...<+.......9......<)......o=......|!......o=......|!...L..o}...
C000:0380  .S..M..2.h.......C..O[. .h.".....C..o[. .h."....)CR..[1 .h."....
C000:03C0  ..........R.)%.....>......R.)%...2...x....Z.!%...2...x..-....%..


Debug - Unknown

 
ACPI  BATB: Unknown
ACPI  PMCT: Unknown
BIOS  Unknown
SPD  No SPD module found! (BusCount = 1)
SSD  XPG GAMMIX S11L




The names of actual companies and products mentioned herein may be the trademarks of their respective owners.